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(U) OFFICE OF THE INSPECTOR GENERAL 


(U) Chartered by the NSA Director and by statute, the Office ofthe Inspector General conducts audits, 
investigations, inspections, and special studies. Its mission isto ensure the integrity, efficiency, and 
effectiveness of NSA operations, provide intelligence oversight, protect against fraud, waste, and 
mismanagement of resources by the Agency and its affiliates, and ensure that NSA activities comply with the 
law. The OIG also serves as an ombudsman, assisting NSA/CSS employees, civilian and military. 


(U) AUDITS 


(U) The audit function provides independent assessments of programs and organizations. Performance audits 
evaluate the effectiveness and efficiency of entitics and programs and their internal controls. Financial audits 
determine the accuracy ofthe Agency’s financial statements. All audits are conducted in accordance with 
standards established by the Comptroller General of the United States. 


(U) INVESTIGATIONS 


(U) The OIG administers a system for receiving complaints (including anonymous tips) about fraud, waste, and 
mismanagement. Investigations may beundertaken inresponse to those complaints, atthe request of 
management, as the result of irregularities that surface during inspections and audits, or at the initiative of the 
Inspector General. 


(U) INTELLIGENCE OVERSIGHT 


(U) Intelligence oversight is designed to ensure that Agency intelligence functions comply with federal law, 
executive orders, and DoD and NSA policies. The IO mission is grounded in Executive Order 12333, which 
establishes broad principles under which IC components must accomplish their missions. 


(U) FIELD INSPECTIONS 


(U) Inspections are organizational reviews that assess the effectiveness and efficiency of Agency components. 
The Field Inspections Division also partners with Inspectors General of the Service Cryptologic Elements and 
other IC entities to jointly inspect consolidated cryptologic facilities. 
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OFFICE OF THE INSPECTOR GENERAL 


20 February 2015 
IG-11763-15 
Re-Issued 
TO: DISTRIBUTION 


SUBJECT: (U/FFOG6) Report on the Implementation of §215 of the USA PATRIOT Act and 
§702 of the FISA Amendments Act of 2008 (ST-14-0002) 


1. (U/FOEB8} Attached please find the report on Implementation of §215 of the USA 
PATRIOT Act and §702 of the FISA Amendments Act of 2008, as requested by members of the 
Senate Committee on the Judiciary. 


2. (U) In September 2013, ten members of the Senate Committee on the Judiciary 
requested a comprehensive, independent review of the implementation of §215 of the USA 
Patriot Act and §702 of the Foreign Intelligence Surveillance Act (FISA) Amendments Act 
(FAA) of 2008 (FAA §702) for calendar years 2010 through 2013. In January 2014, NSA’s 
Office of the Inspector General (OIG) and staff members of the Senate Committee on the 
Judiciary agreed on the scope of a review the OIG would conduct on NSA’s use of both 
authorities. 


3. (U) The following is the NSA OIG’s report on both authorities which will be sent to 
the ten members of the Senate Committee of the Judiciary who requested the review, the 
Chairman and Ranking Member of the House Committee on the Judiciary, the Chairman and 
Vice Chairman of the Senate Select Committee on Intelligence, and the Chairman and Ranking 
Member of the House Permanent Select Committee on Intelligence. . 


4. (U/fFOCO}-We appreciate the cooperation and courtesies extended to our personnel 
throughout the review. 


DR. GEORGE ELLARD 
Inspector General 


(U) This report might not be releasable under the Freedom of Information Act or other 
statutes and regulations. Consult the NSA/CSS Inspector General Chief of Staff before 
releasing or posting all or part of this report. 
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I. (U) INTRODUCTION 


(U) Reason for Review 


(U) In September 2013, ten members of the Senate Committee on the Judiciary requested a 
comprehensive , independent review of the implementation of §215 of the USA PATRIOT Act 
and §702 of the Foreign Intelligence Surveillance Act (FISA) Amendments Act (FAA) of 2008 
for calendar ycars 2010 through 2013. 


(U) Objectives 


(U) In January 2014, the National Security Agency/Central Security Service’s (NSA) Office of 
the Inspector General (OIG) and Committee staff agreed that the NSA OIG would review NSA’s 
implementation of both authorities for calendar year 2013. The study has three objectives: 


(U) Objective I 

* (U) Describe how data was collected, stored, analyzed, disseminated , and retained 
under the procedures for §215 and FAA §702 authorities in effect in 2013 and the 
steps taken to protect U.S. person information. 

+ (U) Describe the restrictions on using the data and how the restrictions have been 
implemented , including a description of the data repositories and the controls for 
accessing data. 

° (U) Describe oversight and compliance activities performed by internal and external 


organizations in support of §215 Foreign Intelligence Surveillance Court (FISC) 
Orders and FAA §702 minimization procedures. 


(U) Objective H 
* (U) Describe incidents of non-compliance with §215 FISC Orders and FAA §702 
Certifications and what NSA has done to minimize recurrence. 
(U) Objective HI 


+ (U) Describe how analysts used the data to support their intelligence missions. 


(UFOO) Our study of NSA’s implementation of §215 and FAA §702 authorities was based 
largely on program stakeholder interviews and reviews of policies and procedures and other 
program documentation. For this review, the NSA OIG documented the controls implemented to 
address the requirements of each authority ; however, we did not verify through testing whether 
the controls were operating as described by program stakeholders. 
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Hl. (U) SECTION 215 OF THE USA PATRIOT ACT 


(U) Background 


(U) Business Records Order 


(U) Since May 2006, the Foreign Intelligence Surveillance Court (FISC) has 
authorized the National Security Agency/Central Security Service’s (NSA) bulk 
collection program under the “business records” provision of the Foreign Intelligence 
Surveillance Act (FISA), 50 U.S.C. §1861, as amended by §215 of the USA 
PATRIOT Act, legislation enacted by the U.S. Congress and signed into law by the 
President. From its first authorization in May 2006 through December 2014, the 
program has been approved 40 times under Business Records (BR) Orders issued by 
18 FISC judges. 


(B(A) rr nn FSHSHANF} Pursuant. to the series of BR Orders issued by the FISC, NSA receives 


(b)(3)-P.L. 86-36 
(b)(3)-50 USC 3024(i) 


certain call detail records (or BR metadata) from .S. telecommunication s 
providers. NSA refers to the series of BR Orders approved by the FISC as the “BR 
Order” and the control framework NSA has implemented as the “BR FISA program.” 


(U) The BR Order requires that providers produce to NSA certain information about 
telephone calls, principally those made within the United States and between the 
United States and foreign countries. This information is limited to BR metadata, 
which includes information concerning telephone numbers used to make and receive 
calls, when the calls took place, and how long the calls lasted but does not include 
information about the content of calls, the names of the participants, or cell site 
location information (CSLI). 


(U) The BR FISA program was developed to assist the U.S. government in detecting 
communications between known or suspected terrorists who are operating outside the 
United States and communicating with others inside the United States, as well as 
communications between operatives within the United States. The BR Order 
authorizes NSA analysts to query BR metadata only for identified counterterrorism 
purposes. The BR FISA program includes oversight mechanisms to maintain 
compliance with the BR Order and external reporting requirements to the FISC and 
Congress. 


(U) BR renewal process 


(U) Approximately every 90 days, the Department of Justice (DoJ) on behalf of the 
Federal Bureau of Investigation (FBI) and NSA files an application with the FISC 
requesting that certain providers continue to provide calling records to NSA for 
another 90 days. Ifthe FISC approves the government’s applications to renew the 
program, the Court issues a “primary order” delineating the scope of what the 
providers must furnish to NSA and the provisions for NSA’s handling of BR 
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metadata. The FISC issues “secondary orders” separately to each provider, directing 
them to deliver an electronic copy of certain calling records to NSA daily until the 
expiration of the BR Order. 


(U) Methodology and Scope 


(b)(3)-P:L. 86-36 


(U) Our review of the BR FISA program control framework, incidents of 
non-compliance, and NSA’s use of the authority to support its counterterrorism (CT) 
mission was based largely on BR program stakeholder interviews and reviews of 
policies and procedures and other program documentation. For this review, we did 
not verify through testing whether the controls were operating as described by BR 
program stakeholders. However, we tested controls of the BR program during 
previous NSA Office of the Inspector General (OIG) reviews (see the Oversight 
section for a list of those reviews). 


{U}; Our-study..focused on the processes and controls in place in 2013, We used BR 
Order 13-158 ae by the FISC 


and compared the requirements listed in that Order with the 
processes and controls NSA used to maintain compliance with that Order. In 
addition, we documented the changes implemented in the BR FISA program 
following the President’s directives in 2014. 


(U) Presidential directives affecting querying controls in 2014 


(U) On 17 January and 27 March 2014, the President of the United States directed 
that NSA implement the following changes to the BR FISA program: 


1. (U/FOHO) Submit selection terms to the FISC for reasonable articulable 
suspicion (RAS) approval (see Querying section for RAS discussion). Before 
17 January 2014, RAS selection terms were approved by the Chief or Deputy 
Chief of NSA’s Homeland Security Analysis Center (S214) or one of the 
twenty specially authorized Homeland Mission Coordinators (HMCs) as the 
BR Order required, and NSA’s Office of General Counsel (OGC) performed 
First Amendment reviews for selection terms associated with U.S. persons 
(USPs). 


2. (U/POBO) Restrict contact chaining to two hops from seed selection terms 
(see Querying section for contact chaining discussion). Before 
17 January 2014, the BR Order authorized appropriately trained and 
authorized NSA analysts to query to three hops; however, NSA guidance 
restricted those analysts to query BR FISA repositories two hops from seed 
selection terms and one additional hop (three hops from seed selection terms) 
with Analysis and Production (S2) management approval. 


3. (U) Store BR metadata in provider controlled repositories and not in NSA 
repositories. Once implemented, NSA will submit FISC-approved RAS 
selection terms to providers for them to query their repositories. Providers 
will provide to NSA only the results of those queries. 


—-FOR-SECREFT/SHNOFORIN— 
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(UFOS) NSA implemented the first two directives by February 2014. The third 
directive, storing BR metadata in provider repositories and obtaining only those query 
results from providers, will require Congressional approval of a new statute for the 
production of business records, which had not been implemented before this report 
was issued. 


(U//FE8O5 The following sections describe how the BR FISA program control 
framework complies with BR Order 13-158 (including the changes implemented 
following the President’s directives in 2014), the 2013 BR FISA program incidents of 
non-compliance, and NSA’s use of the BR FISA authority. 


(U) BR FISA Program Control Framework 


(U/AP@UOry The BR FISA program control framework describes how NSA collects, 
samples, stores, accesses, queries, disseminate s, and retains BR metadata and the 
oversight mechanisms to comply with the BR Order. This section summarizes the 
provisions of the BR Order and the controls implemented for each phase of the BR 
FISA production cycle. 


` ei (by 
(U) Collection we et eee 86-36 


(U) Provisions of BR Order 13-158." (b)(3)-60 USC 3024(i) 


Bs ee BR.Ordér require U.S. telecommunication s providers to 
provide 


at electronic copy of certain call detail records (hereinafter referred to 
as “BR metadata”). The BR Order defines BR metadata as comprehensive 
communications routing information, including but not limited to scssion identifying 
information (¢.g., originating and terminating telephone number, International Mobile 
Subscriber Identity (IMSI) number, and International Mobile Station Equipment 
Identity (IMEI) number), trunk identifier, telephone calling card numbers, and time 
and duration of call.’ BR metadata does not include the substantive content of 
communications ; the name, address, or financial information ofa subscriber or 
customer; or CSLI. 


(U) Data received from providers 


J 
(b)(3)-P.L. 86-36 
(b)(3)-60 USC 3024(i) 


! (U) The IMEI number is a type of metadata related to mobile telephony. It is permanently embedded in a mobile 
telephone handset by the manufacturer and generally is not changeable by the user. In most instances, the IMEI 
does not travel with the Subscriber Identity Module (SIM) card, in contrast to the IMSI number, which does. The 
IMSI number is another type of metadata related to mobile telephony. It isa 15-digit number used to identify a 
customer. IMSI numbers are permanently stored on SIM cards, allowing a user to plug a card into any mobile 
telephone and be billed correctly, Calling card numbers are numbers used for billing telephone calls. A calling card 
number may be a telephone number, as the phrase is commonly understood and used, plus a personal identification 
number, or may be another unique set of numbers not including a telephone number . 
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N(3)-P.L. 86-36 me LL 
50 USC 3024(i) See ee a ee ee) 


2 (U/POUO) A SCIF is an accredite A SCIF is an accredited area, room, ot installation, incorporating physical control measures (e.g., 
barriers, locks, alarm systems, armed guards), to which no person has authorized access unless approved to receive 
the particular category of sensitive compartmen ted information and has a need to know the sensitive 
compartmented information activity conducted therein. _” (b)(3)-P.L. 86-36 
3 (U; A contact chain 
shows that selection term A communicated with selection term B, their first and last contact dates, telephony type, 
and the total number of communications between selection terms A and B. 


1 CHREE-FOUGA EYES 


(b)(1) 
(b){3)-P.L. 86-36 
TOP SEGRE FSHANOFORN (b)(3)-50 USC 3024(i) 
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P ~TSYSH NF? Figure | illustrates the BR metadata dataflow from the provider to NSA 
ny and the various BR metadata repositories in 2013. 

b)(3)-P.L. 86-36 ` 
A USC 3024(i) “(FSHSHINE}-Figure 1. BR Metadata Dataflow and Repositories 


ASHSWINE). 


ENSEN 


F The BR Order requires that provide all BR 
metadata for communicátions between 


the United States and abroad or wholly within the United ‘States, including local 
telephone calls. The BR Order does not require] 


(1) 
(b)(3)-P.L, 86-36 
(b){3)-50-USC.3024(i) 


e 
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-CPSHSEANB As of 31 December 2013, NSA received BR metadata 


from roviders: 


(1) 


p 77 (b)(3)-P.L. 86-36 
IOPE aS W) Tablet. BReisa| Jo OO 
(b)(3)-50 USC 3024(i) 


(U) Metadata Sampling 
(U) Sampling to verify BR metadata integrity 
U/ NSA’s Data Integrity Analysts (DIAs team ef =="(b)(3)-P.L, 86-36 


(531324) has full-time employees dedicated to 
the BR FISA program. DIA responsibilities include: 


€ (U/FOGOy The BR FISA Authority Lead is responsible to the NSA Director and the Director of the Signals 
Intelligence Directorate for implementation of FISC BR authorizations by the NSA organizations responsible for the 
collection, processing, and analysis of BR metadata under the BR Order. 
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e (U/FOUC) Verifying that BR metadata is correctly ingested, processed, and 
formatted into chains; 


© -SiNB {b)(1) 
Breanae + ine ia 


HSH NSA has two types of controls to monitor data received from the 
---providers.and“maintain.compliance-with-the-BR-Order-; 
~~preventive control that i Uses| rules: The’secondis:a} erformed 


F the DIAs = data sampling Techniques 


(b)(3)-P.L, 86-36 


The DIAs maintain thel but changes are implemented by the 
a team. The are updated as necded and reviewed at least 
quarterly. The DIA team reviews proposed changes 
changes-will-be-implemented~by the 
tracked and maintained on thë 


team runs tests to verify that hanges have been implemented and: wives the 
test results to the DIA team to validate that the changes have been’ made... 


(U/FE8O5 Sampling DIAs runt ______] queries on ths BR Metadata to 
answer five questions as part of the sampling process coñtröls- to very: comnplisce 
with the BR Order : : 
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1. -CFSASHANF Did the BR metadata contain credit card numbers? 


z Did NSA dereer CSL neh 
(UFO Did NSA detect CSLI in th z einise 


identification field? f 
3. (U) Did the BR metadata record structure adhere to expectitions? 


4, (U) Did the BR metadata record content adhere to expectations Eat i 


5. (UFOO) Did C þe to expectations? ~ 


(U) The sampling results are submitted to NSA’s Office of the Director of 
Compliance (ODOC) in weekly BR FISA compliance reports, ODOC compiles the 
information with other compliance reports and provides it tothe Director of 
Compliance for review. The BR FISA Authority Lead summarizes the weekly BR 
FISA compliance reports for the DoJ National Security Division’s (NSD) review 
before quarterly compliance review meetings (see Oversight section). 


Credit card numbers ‘DIAs. sample the sd 


| known to have contained 
credit card numbers used as part of calling card personal identification numbers. The 
BR Order does not-authorize NSA to receive customer financial information:: 

y DIAs aoe a BR metadata técords for th hat could 

ard ny li etadata is performed to identify 

to screen for credit card numbers. 


card numbers and forward them to 
DIAs determine whether the credit card 
and notifies stakeholders, 


"'(b)(3)-P.L. 86-36 


ATSAN To demonstrate the number of files and BR metadata records that are 
sampled daily for credit cards, the OIG randomly selected] for review 
(Table 2). 


(b)(1) numbers were ingested into 
(b)(3)-P.L. 86-36 including DoJ NSD. 
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{U} Table 2[__|Sampting Metrics for Credit Cards 


(byt) 
(b)(3)-P.L. 86-36 
(b)(3)-50 USC 3024(i) 


To demonstrate the number of files and BR metadata records sathpled 
for-credit-cards,-the-OIG randomly..selected the[_ testing hg 
performed on (Fable 3): ene =" (BY(3)-P.L, 86-36 


(U) Table a| [samping Metrics for Credit Cards 


FHN 


ENT) 
(b)(3)-P.L, 86-367- L— 
(b)(3)-50 USC 3024(i) ee 2 Ae . 

4h h Cell-site location information (CSLI) DIAs test wE oooO 
` - to verify that it doës`not-contain CSLI because the BR Order prohibits 


NSA from receiving this data. The DIAs samiple 


(b)(3)-P.L. 86-36 z 


DIAs have identified no CSLI data in 


the feed since it became operational _ _ ] 


i , (b)(3)-P.L. 86-36 
-ESHSHAND Record structure The DIAs sample BR metadata ¿récords 
each feed to test whether the BR metadata.record structure has changed. 


9 “(byt 
(b){3)-P.L. 86-36 
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(by Nai 86-36 


|_| ffany tests show differences, a warning message is generated for the DIAs 

to address. Changes in BR metadata record structure are very rare, but, if identified, 
the provider is contacted to determine whether the change is permanent or a one-time 
processing anomaly. 


(U/FOC-) BR metadata record content_DIAs review the BR metadata record 
content for each feed 


According to the DIAs; éxcéptions are very r ' 


(U/FEO}5 Table 4 shows the percentage of the[__feeas tested for BR metadata 
record structure and content during 2013. 


(U/FOUS) Table 4 Sampling Percentages for BR Metadata Record 
tructure and Content Testing 


FSHEH) 


Bayo 
(b)(3)-P.L. 86-36 
(b)(3)-50 USC 3024(i) 


FSHSHNE, 


“FSASHAMD Data feed volumes DIAs monitor data feed volumes| for 
anomalies by reviewing ..the“ Status Report,” which lists for 
each feed.the number.ofraw BR metadata records received and the 


3)-P.L:-86-36. 


s _ U/W) Table 5 shows the number of BR metadata records réceived Eho 
l | (b)(3)-P.L. 86-36 


5 (U/POYO) BR metadata record content is distinct from the content of communications: BR metadata record 
content does not contain the content of communications , defined in 18 U.S.C. §2510, as the substance, purport, or 
meaning of a communication - 
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(U) Table 5. Total Number of BR Metadata Records Received] |... 
ae ai (b)(3)-P.L. 86-36 


SHS 


SSE 


v (U) Table 6 summarizes the provisions of BR Order 13-158 for collection and the 
ia controls NSA implemented to maintain compliance. 
A 68 Gee s0 (U) Table 6. Collection Provisions and Controls 


-FSHSHIN) Provide Daily BR |-Fe¥SHNR| monitor] [for data flow 
Metadata Records problems. DIAs monitor data feed volumes} for anomalies. 


: +FSHSHINE} Parser rules‘are designed’ to prevent unauthorized 
(U) NSA ony Receives data from being ingested intó operational systems. DIAs sample 
detect unauthorized data. 


(b)(1) 
(U) Repositories (b)(3)-P.L. 86-36 


(U) Provisions of BR Order 13-158 


(U) NSA will store and process BR metadata in repositories within secure networks 
under NSA control. 


(U) NSA repositories that store BR metadata 


(U/FOES) All NSA systems that store and process BR metadata are certified as 
secure through an accreditation and certification process and are in NSA controlled 
SCIFs. During 2013, the following systems stored and processed BR metadata. 


(b)(3)-P.L. 86-36- 


üj 
(b)(3)-P.L. 86-36 
(b)(3)-50 USC 3024(i) 


ll 
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WYP 86.36 Fy porate database 
ore Pet on. repository that stores BR metadata 


2 ür dis the > EA amol 


and has the samé-hardware and softwarè a 


b)(3)-P:£:-86-36 = Cees eRe foe 
Nabo USC'3024(i) © (UEOB Backup tapes are maintained~at The BR 
oe metadata electronically stored in are saved to tape backup 
oo (U//FEBOS designed for the BR FISA program is software 
~~ that.runs-on-a system. 


Sn a 
systems move metadata between systems § 
{GHREL-FO-USA,-FYE How information.isstoredin|_  ć |] 


are the only operational 
s._As previousl 


= ~ - 
databases used to store BR metadata for intelligence analysi 
mentioned; 


ia) 
(b)(3)-P.L. 86-36 


Se a ee 


ia) 
(b)(3)-P.L. 86-36 
(b)(3)-50 USC 3024(i) 


(b){3)-P.L. 86-36 


OS 
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(b)(1) 
(b)(3)-P.L. 86-36 
(b)(3)-50 USC 3024(i) 


(3)-P-L.. 8 
(b)(3)-18 USC-798 
(b)(3)-50. USC 3024(i) 


(U) NSA system accreditation and certification processes 


(U//FEROy Accreditation a) is responsible for 
managing the risk on all NSA networks and the computer systems and devices 
connected to those networks. TS responsibilities include: 


‘(b)(3)-P.L. 86-36 
a (U) A relational database stores data in tables using a standardized data format. This allows similar information to 


be organized and queried on the basis of specific data fields. 
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° (UFOS Guiding, prioritizing, and overseeing the development of 


information assurance programs necessary to ensure protection of information 
systems and networks by managing the NSA Information Security Program, 


© (U/FOCr Serving as the NSA Director’s Authorizing Official to accredit all 
NSA information systems, 


- (UOY Conducting information systems security and accreditation and 
risk management programs, and 


e (U//FOEO) Establish ing, maintaining, and enforcing information systems 
security policies and implementation guidelines for NSA. 


(U/FOBC) Accreditation is the official management decision to permit opcration of 
an information system in a specific environment at an acceptable level of risk, based 
on the implementation of an approved sct of technical, managcrial, and procedural 
safeguards. 


(U/FS869) When accrediting systems, TS uses a risk management framework to 
determine the appropriate level of risk mitigation needed to protect systems, 
information, and infrastructure. The framework comprises six steps. 

e (U) Categorize the information and information system, 


e (U) Select an initial baseline of security controls and tailor as appropriate for 
the system, data, and environment, 


+ (U) Implement and build the security controls in the information system, 
* (U) Authorize the operation of the information system (accept the risk), and 


* (U) Monitor continually and assess the effectiveness of the security controls. 
(U//2OU0} Before a system is authorized to be put on a network, it must go through 
the accreditation process and be approved by TS. Table 7 lists the dates through 
which the BR repositories are accredited. 


(U) Table 7. Dates through which BR Repositories Are Accredited 


(BJA i 
(b)(3)-P.L. 86-36 


ACHRES SA EE- 


(U//FOE65 Certification In addition to the TS system accreditation requirement, all 
syuleins eonatiing, FISA data tit be Gertie | acral | 
ee ee TV4 is the NSA authority for 

erfification of systems fo ensure they are compliant, with the legal and policy 
regulations protecting USP privacy. 


ast: 86-36 
-FOP-SEERET/SHNOFORN— 
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(b\(3)-P.L. 86-36 


öar 
(b)(3)-P.L. 86-36 


uro] TV began certifying FISA systems, including the repositories 
that coritain BR metadata, to ensure that they comply with USP privacy protection. 


-TV developed[__________] the NSA corporate database for registration of 


NSA-systems and their compliance certification and data flows. It is NSA’s 
authoritative source for all compliance certifications. TV’s certification process 
evaluates system controls for maintaining compliance in the following areas: purge, 
data retention and aging off, data access, querying, dissemination, data tagging, 
targeting, and analytical processes. 


(U/FOY To be certified to handle FISA data, systems must be certified by TV as 
part of the Compliance Certification process. Table 8 shows the TV4 certification 
dates for repositories that contain BR metadata. 


(U) Table 8. Certification Dates for Repositories Containing BR Metadata 
TERELT OUSA EMEN 


TCHRES TOSA PVET 


(U) Table 9 summarizes the provision of BR Order 13-158 for repositories and the 
control NSA implemented to maintain compliance. 


(U) Table 9. BR Repository Provision and Control 


NSA will store and process BR metadata in All BR FISA systems are certified as secure 


repositories within secure networks under through NSA’s system accreditation (TS) and 
NSA control. certification process (TV4) and located in NSA 
controlled SCIFs. 


(U/IFOLOS 


(U) Access and Training 


(U) Provisions of BR Order 13-158 


(U) BR metadata shall carry unique markings such that software and other controls 
(including user authentication services) can restrict access to authorized personnel 
who have received appropriate and adequate training with regard to this authority. 
NSA shall restrict access to BR metadata to authorized personnel who have received 
appropriate and adequate training. 


(U) Appropriately trained and authorized technical personnel may access the BR 
metadata to perform those processes needed to make it usable for intelligence 
analysis. The Court understands that the technical personnel responsible for NSA’s 
underlying corporate infrastructure and the transmission of the BR metadata from the 
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specified persons to NSA will not receive special training regarding the authority 
granted herein. 


(U) NSA’s OGC and ODOC will further ensure that all NSA personnel who receive 
query results in any form first receive appropriate and adequate training and guidance 
regarding the procedures and restrictions for the handling and dissemination of such 
information. NSA will maintain records of all such training. 


(U) OGC will provide DoJ NSD with copies ofall formal briefing and/or training 
materials (including all revisions) used to brief or train NSA personnel concerning 
this authority. 


(U) Restricting access to BR metadata to authorized personnel 
-CESHSINEY The Signals Intelligence Directorate’s (SID) Office of Oversight & 


Compliance (SV) verifies semi-weckly that persons authorized access to BR metadata 
main e alec aE e ee  e 
The-training required for these two credentials is listed in the Approptiaie añd 

Adequate Training” heading ofthis section. ees (by) 

TABIA , 
“CESHSHANEY The____kredeiiiial signifies that an individual has beén ae tK een 
and appropriately trained (discussed below) with regard to the BR'FISA program and 
provides the authorization to view the results of BR metadata Queries, in any form, 


including written and oral summaries of results. does not provide access to 
the BR metadata in the bulk metadata (BMD) repositories or authorization to query 
the data. 


CESHSHANFY Table 10 shows a breakdown of the number of personnel vin ls 
of 31 December 2013 by affiliation. 


(10) -P.L. 86-36 
{TSHSHINF) Table 10. Number of Personnel WE Affiliation 


NSA Military 


Non-Agency Cwviians] |] 


Contractors 


FASHE 


AFSANA Table 11 shows a breakdown of the number of personnel with Jas 
of 31 December 2013 by work role. 
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<<  (b)(3)-P.L, 86-36 
—(FSHSHINF) Table 11. Number of Personnel with| __|by Work Role 
FST 


Analyst 
Oversight 
Leadership 


Technical 


Contractor 


: —ESUSUINE). 
~ (b)(3)-P.L., 86-36 


-FS+SEND), The[__|eredential signifies that aperson is authorized to access 
BMD.repésitor ies and is the first step in obtaining the ability to ‘use 
cece to perform queries against. BR metadata. a 
per __... authorized.-for-specific intelligence analysts working CT targets described in the BR 
iby) Order and technical personnel who maintain the systems that process and store BR 


(b)(3)-P.L. 86-36 metadata. The BR FISA Authority Lead is the ultimate authority for deciding which 
organizations are authorized to access BR metadata repositories. 


—CPSHSHANFY Table 12 shows a breakdown of the number of personnel with] 
as of 31 December 2013, by affiliation and work role. 7 


—FSHSHNF) Table 12. Number of Personnel with J= (b)(1) 
by Affiliation and Work Role (b)(3)-P.L. 86-36 
IRIRA 


NSA Civilians 


Total 
NSA “Wilitary 


Technical 


ePSHSTINET— 


-aws | In addition tof jr an individual needs to 


query BR metadata-usiiig the intelligence analyst contact chaining tool, a Division 
“Chief; Deputy Division Chief, Branch Chief, or Deputy Branch Chief must submit to 


est T __SV a written request that the individual be given query access. If the individual is 
Ba pL. 8636 current in all fae and holds a E ST SV sends an 


e-mail to the team and requests that the person be added to the 


"(b)(3)-P.L. 86-36 
1 UOUS ište graphical user interface analysts use to query data, including BR 
metadata, in aa 


—TOP SECRET /STFNOFORN- 
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{user Group in 2 The —__| administrator verifies the 

~ “person’s credentials and training, adds the pérson to the user group, and notifies SV 

when complete. Upon completion, Lens sends.an e-mail to SV 
indicating that the person has been added to the user growp---This. additional 


management control helps ensure that only appropriately trained and“authorized 
personnel are able to execute queries. “(b)(3)-P.L. 86-36 


2 (U//FO8S,) Table 13 shows a breakdown of the numberof personnel -on the 
(b) GPL 86-36 User Gröüp with querying capability as of 31 December 2013. Â 
(U) Table 13. Number of Personnel with Querying Capability 

as of 31 December 2013 


Analysts 


Technical 


(UROS 


+TSHSH/MNE Receiving query results NSA personnel who receive query results are 
required to receive training and guidance regarding the procedures and restrictions for 
handling and disseminating such information. Before analysts send BR-unique query 
results containing USP information to another individual, they must first confirm that 
the recipient has.the{ credential. 13 Sharing BR-unique query results 
_.containing USP information with an individual. without ihe predenta would 
~-violate the BR Order and require notice to the Court. 


(b)(1) 

(b)(3)-P.L. 86-36 (U) Training records The BR Order requires that NSA maintain records of BR 
training. NSA’s Associate Directorate for Education and Training (ADET) 
Enterprise Learning Management database is NSA’s source system of record (SSR) 
for maintaining training completion records for all required training. 


(U) Figure 3 shows the categories of individuals authorized access to BR data. 


~~ (B)3)-P.L, 86-36 


ureo sn: NSA’ s Corporate Authordation Service Portal, which. provides authorization attributes 
and access control services to NSA programs and projects, : g 
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(U//FOUO) Figure 3. Access to BR Information Determined by Credentials 
Maintained by BR Stakeholders 


i 1) | — Specially authorized CT analysts 
{b)(3)-P.L. 86-3 l tsup 3 


Technical personnel who develop or 
maintain systems that process BR 
metadata 


obtaining raw. Veer 


—ESASHARF) Obtaining the credential To obtain.the credential, 
a request must be submitted in the 
NSA’s corporate crëdëntialing system. A request must contain the name of a 

--yälid sponsor who currently holds the requested credential. The Associate 
Directorate for Security and Counterintelligence (Q) reviews[__ ]redjiiests po- Sheet ae 
(b)(3)-P.L. 86-36 security concerns. If approved, the request is forwarded to SV for final adjudication. 
i SV verifies that the individual is current on the required training (explained below) 
and that the request includes a valid mission (SI Ifall requirements are met, 


SV approves the credential in| for entry, intő 


PSHSHNE Maintaining the credential To ensure that pêrsonnel remain current on 
training, SV runs C E several times a wéek that lists all the personnel 
with thè Jeredential and their training status, which is color coded 
(green=current, red=expired). If someone’s OVSC1000 or OVSC1100 training has 
expired, SV notifies that person by e-mail that-training must be completed. If 
OVSC1800 or OVSC1205/OVSC1206_has.éxpired, access is revoked immediately. 
Access is not restored until a new request is submitted and all training is 
current. If an individual’s training expires and the credential has been revoked, this 
would not violate the BR Order. However, if someone accesses BR metadata. but has 
not completed the required training, this would violate the BR Order because the 
person has not been appropriately and adequately trained. The violation requires 
notice to the Court. 


1 (UEV The Court understands that the technical personnel responsible for NSA’s underlying corporate 
infrastructure and the transmission of the BR metadata from the specified persons to NSA will not receive special 
training regarding the authority granted herein. 


—FOP-SECREFASHNGFORI- 
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(U/FOCC> Appropriate and adequate training NSA/CSS Policy 1-23, Procedures 
Governing NSA/CSS Activities That Affect U.S. Persons , 30 July 2013, requires that 
Agency personnel (civilians, military, military reservists, integrees, and most 
contractors) complete intelligence oversight (FO) training annually. 


ESHSHANE} In addition, to qualify.for-thel____————_kredential and comply 


-with the requiféments of the BR Order, persons must have completed specific training 


(byt). ~ courses within the last 12 months. All courses are developed by NSA’s ADET in 
(b)(3)-P.L. 86-36 conjunction with the OGC, mission subject mattcr experts, and mission compliance 
professio nals. 


(b)(3)-P.0.'86-36~ 


(U/FOEBS} OVSC1000, NSA/CSS Intelligence Oversight Training, the 
Agency’s core IO course is provided to the workforce to maintain a high 
degree of sensitivity to and understanding of intelligence laws, regulations, 
and policies associated with the protection of USP privacy rights during 
mission operations. Personnel are familiarized with the major tenets of the 
four core IO documents: Executive Order (E.O.) 12333, as amended; 
Department of Defense (DoD) Regulation 5240.1 -R; Directive Type 
Memorandum (DTM) 08-052; and, NSA/CSS Policy 1-23. OVSC1000 is web 
based and includes knowledge checks for proficiency .'° 


(U/FORGSSOVSC1100, Overview of Signals Intelligence Authorities, the 
core SIGINT IO course, provides an introduction to various legal authorities 
that NSA uses to conduct its operations. Upon completion, personnel should 
be able to identify applicable surveillance authorities at a high level, define 
the basic provisions of the authorities, and identify situations and 
circumstances requiring additional authority. OVSC1100 is web based and 
includes knowledge checks for proficiency. All personnel in the U.S. SIGINT 
System (USSS) working under the NSA Director’s SIGINT authority with 
access to raw SIGINT are required to complete OVSC1100 every 12 months. 


(U/FOERO) OVSC1800 (Analytic) and OVSC1806 (Technical), Legal 
Compliance and Minimization Procedures, advanced SIGINT 10 course that 
explains policies, procedures, and responsibilities within missions and 
functions of the USSS to enable the protection of USP and foreign partner 
privacy rights. Upon successful completion, NSA analysts with mission 
requirements to access raw SIGINT databases will have met the additional 
training requirement imposed by SID. OVSC1800 and OVSC1806 are web 
based-and include competency exams 

Personnel who do not pass the test-after attempts must 
complete remedial training. All personnel in the USSS working under the 
NSA Director’s SIGINT authority with access to raw SIGINT arc required to 
complete OVSC1800 or OVSC1806 every 12 months. 


1 (U/POHES E.O. 12333, United States Intelligence Activities; DoD Regulation 5240.1-R, Procedures Governing 
the Activities of DoD Intelligence Components That Affect U.S. Persons; DTM-08-052, DoD Guidance for 
Reporting Questionable Intelligence Activities and Significant or Highly Sensitive Matters. 


FOP SECREFSHNGFORN- 
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e (U/PORO) OVSC1205 (Analytic) and OVSC1206 (Technical), Special 
Training on FISA, advanced IO courses that present legal policies surrounding 
the FISC Orders and RAS standards pertaining to specific CT focused 
programs. OVSC1205 and OVSC1206 are web based and include 
competency exams with a minimum passing score of 90 percent for 
OVSC1205 and 89 percent for OVSC1206, a higher proficiency threshold 
than other courses because BR FISA data has a greater probability of 
containing USP information. Personnel who do not pass the test after one 
attempt must complete remedial training. All personnel with access to the BR 
FISA program are required to complete OVSC1205 or OVSC1206 every 12 
months. 


(U/AF68635 DoJ NSD review of training material As the BR Order requires, NSA’s 
OGC provides DoJ NSD copies of the material (e.g., OVSC1205 and OVSC1206 
training courses) used to train NSA personnel on the authority. OGC most recently 
provided DoJ NSD copies of revisions to the training materials in February 2014. 
NSA had revised the training materials because of the 17 January 2014 program 
changes, which included the two-hop limitation and FISC RAS-approval process. 


(U) Access requirements for technical personnel to BR repositories 


(U/AFEUO) The BR Order states that appropriately trained and authorized technical 
personnel may access the BR metadata to perform those processes needed to make 
the data usable for intelligence analysis. The following describes the repositories and 
systems and the access requirements for technical personnel. 


> epoca] o 


(b)(3)-P.L. 86-36. 


(b)(3)-50 USC 3024(i) 


16 (U/FOB Backup tapes are securely stored in a locked cabinet inside a restricted access room at a secure 
facility and are only accessible by designated[__Jpersonnel. 


(by3)-P.L. 
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(b)(3)-P.L. 86-36... 
(b)(3)-50 USC 3024(i) 


* (U/#6G65 NSA’s Corporate Infrastructure Technical personnel 
responsible for maintaining NSA’s underlying corporate infrastructure and 
transmission of BR metadata to NSA (e.g., corporate{_ ] personnel 
and SharePoint system administrators ) are not required to receive special 
training regarding the BR program. 

ter P.L. 86-36 
(U) Access requirements for analysts to query BR repositoriés 7 


-FSHSHANE) To query the database using ia 
ata ineliidinig DIAs, must be listed on- thel 


analysts are able to select-the 
metadata. As of 31 December 2013; 
BR data using 


ersonnel had the ability to run queries on 


(U/FOEPS) Table 14 summarizes the provisions of BR Order 13-158 for access and 
training and the controls implemented by NSA‘ to ee compliance. 


“WIRY P.L. 86-36 


H uro TD tëchnical personnel system accesses aco iji terminated. 


18 (U/POUO) PKI is used to authenticate users on NSA networks. PKI binds public keys with users-of a digital 
certificate authority. 
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(U) Access to BR metadata shall be restricted |-¢FS#SHANF All personnel with ‘access # Br 


to authorized personnel who have received 
appropriate and adequate training. 


(b)(3)-P 786-36" 


metadata must be approved’ for the 

credential. All personnel with access’ to the BMD 
repositories must have thel credential. All 
personnel who query thie BR metadata in the BMD 


repositories must have the 


must complete appropriate and adequate training 
verified and monitored by SV. 


(U) Appropriately trained and authorized 
technical personnel may access the BR 
metadata to perform those processes needed 
to make it usable for intelligence analysis. 


(U) Technical personnel responsible for 
NSA’s underlying corporate infrastructure and 
the transmission of the BR metadata from the 
specified persons to NSA will not receive 
special training regarding the authority 
granted herein. 


(U) NSA’s OGC and ODOC will further 
ensure that all NSA personnel who receive 
query results in any form first receive 
appropriate and adequate training and 
guidance regarding the procedures and 
restrictions for the handling and 
dissemination of such information. 


(U) NSA will maintain records of afl such 
training. 


(U) OGC will provide DoJ NSD with copies of 
all formal briefing and/or training materials 
{including all revisions) used to brief/train 
NSA personnel concerning this authority 


(U) Querying 
(U) Provisions of BR Order 13-158 


NF Technical personnel with access to the 
BR metadata must have i EES 
credential and must have completed approp! 
and adequate training verified and monitore: 


(U) Technical personnel responsible for NSA's 
underlying corporate infrastructure do not receive 
special training regarding the BR program. 


Before an analyst-sends BR-unique 
query results containing.USP information to another 


individual, the a must confirm that the 
recipien redential. * An individual 
with thi credential must complete and 


remain current on required training, which includes 
training and guidance on handling and 
disseminating such data. 


(UFS) NSA’s ADET Enterprise Learning 


‘| Management database is NSA’s SSR for 


maintaining training completion records. 


(UFOS) NSA's OGC provides BR FISA training 
material to DoJ NSD for review before modifying 
material in the OVSC1205 and OVSC1206 training 


(b)(3)-P.L. 86-36 


tTS7StANEy NSA may access BR metadata for purposes of obtaining foreign 
intelligence information only through queries of the BR metadata to obtain contact 
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chaining information using selection terms approved as seeds." A seed is a selection 
term approved for querying BR metadata. All selection terms to be used as seeds 
with which to query the BR metadata must first be approved by the S214 Chief or 
Deputy Chief or one of the twenty specially authorized HMCs in the SID Analysis 
and Production Directorate.*° Approval shall be given only after the designated 
approving official has determined that based on the factual and practical 
considerations of everyday life on which reasonable and prudent persons act, there 
are facts giving rise to a RAS that the selection term to be queried-is 


(b)(1)- 


(b)(3)-P.L. 86-36... k 
(b)(3)-50 USC 3024(i)” 


(EJIP: 86-36. paige 


a (hereafter the Foreign Powers). If the selection term 
__ds reasonably believed to be used by a USP, the NSA’s OGC must first determine that 
the USP is not regarded-as 
solely on the basis of activities that are protected by the First 
Amendment to the Constitution .”1 RAS approvals shall be effective for 180 days for 
any selection term reasonably believed to be used by a USP and one year for all other 
selection terms. 


(U/AFO6865 Furthermore, queries of the BR metadata using RAS approved selection 
terms may occur either by manual analyst query or through the automated query 
process.” Contact chaining queries of BR metadata will begin with a RAS approved 
seed, and will return only that metadata within three “hops” of the seed.” 


z 9 (U/POHOS The term “selection teriis™ includes. but is not limited to “identifiers.” The term “identifiers” means a 
~ telephone number, as that term is commonly understood and ‘ised: 


LEESHSHANFY Selection terms that are the subject of electronic surveillance authorized by the FISC based on the 


FISC’s finding of probable cause to believe that they are used b 


including those used by USPs, may 


| be deemed approved for querying for the period of FISC-authorized electronic surveillance without review and 


' approval by a designated approving official, On 26 February 2014, NSA began sending selection terms to the FISC 
for RAS approval to comply with the President’s directive of 17 January 2014. On 28 February 2014, the FISC 


approved RAS for the first two selection terms under this new process. 


>! (U) The First Amendment to the U.S. Constitution prohibits making any law abridging the freedom of speech, 
infringing on the freedom of the press, intefferin g with the right to peaceably assemble, or prohibiting the petitioning 
for a government redress of grievances:’ The BR Order no longer requires that NSA’s OGC perform a First 
Amendment review of selection terms used by USPs for non-emergency RAS requests; the FISC performs those 
reviews. This change was made-following the President’s directive on 17 January 2014, which requires that NSA 


submit selection terms to the FISC for RAS approval. 


“PCHSTNEY The automated query process was initially approved by the FISC in the 7 November 2012 Order that 
amended docket number BR 12-178. Although approved, NSA never implemented and is no longer authorized to 
use the automated qtiery process since it withdrew its request to do so in the renewal applications and declarations 
that support the BR Orders approved by the FISC (beginning with BR Order 14-67, dated 28 March 2014). 


a (U//FOY The first hop from a seed returns results including all selection terms (and their associated metadata) 
with a contact and/or connection with the seed. The second hop returns results that include all selection terms (and 
their associated metadata) with a contact and/or connection with a selection term revealed by the first hop. The third 
hop returns results that include all selection terms (and their associated metadata) with a contact and/or connection 
with a selection term revealed by the second hop. On 29 January 2014, NSA’s software system controls were 
~ modified to limit the number of hops from seed selection terms to two to comply with the President’s directive of 17 
January 2014. 


(by(1) 
(b)(3)-P.L. 86-36 
(b)(3)-50 USC 3024(i) 
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Appropriately trained and authorized technical personnel may query BR metadata 
using selection terms that have not been RAS approved to perform processes needed 
to make the BR metadata usable for intelligence analysis and may share the results of 
those queries with other authorized personnel responsible for these purposes. 
However, the results of such queries may not be used for intelligence analysis 
purposes. NSA must ensure through adequate and appropriate technical and 
management controls that queries of BR metadata for intelligence analysis purposes 
will be initiated using only selection terms that have been RAS approved. 


(U) Presidential directives affecting querying controls in 2014 


(U) On 17 January 2014 and 27 March 2014, the President of the United States 
directed that NSA implement the following changes to the BR FISA program: 


1. (U/F6¢6) Submit selection terms to the FISC for RAS approval. Before 
17 January 2014, selection terms were RAS approved by the $214 Chief or 
Deputy Chief or one of the twenty specially authorized HMCs as the BR 
Order required, and OGC performed First Amendment reviews for selection 
terms associated with U.S. persons. 


2. (U/FEVO) Restrict contact chaining to two hops from sced selection terms. 
Before 17 January 2014, appropriately trained and authorized NSA analysts 
were authorized to query to three hops; however, NSA guidance restricted 
those analysts to query BR FISA repositories two hops from seed selection 
terms and one additional hop (three hops from seed selection terms) with S2 
division management approval. 


3. (UFOO Store BR metadata in provider controlled repositories and not in 
NSA repositories. Once implemented, NSA will submit FISC-approved RAS 
selection terms to providers for them to query their repositories. Providers 
will provide to NSA only the results of those queries. 


(U/FOEUC) NSA implemented the first two directives by February 2014. The third 
directive, storing BR metadata in provider repositories and obtaining only those query 
results from providers, will require passage of a new statute for the production of 
business records, which had not been enacted when this report was issued . 


(U//FOBO) The remainder of this section documents the control framework in place 
for querying BR metadata in 2013, including the changes implemented by the 
President’s directives in 2014. 

(U) Determining seed selection terms for requesting RAS approval 


(UFOS Analysts working CT missions focus on lead selection terms, which can 


be derived from multiple sources (Y()-P LL. 86-36 


| [Analysts äpply a wide range of tradecraft_in determining which selection / ; 
terms to pursue RAS approval. i 
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(b)(3)-P.L. 86-36 (U/UG) Analysts making determinations whether selection terms are eligible to 
be used as seeds under the BR FISA authority must consider all the facts they know 
or reasonably can know before submitting requests for RAS approval. Looking at the 
totality of the circumstances, analysts evaluate whether there is a RAS that the 
selection terms are used by persons associated with one of the terrorist organizations 
in the BR Order. The level of proof demanded by the RAS standard is less than a 
preponderance of the evidence or probable cause. 


(UFO Nonetheless, the RAS standard requires more than a mere hunch or 
uninformed guesswork. Analysts must have an “articulable reason,” supported by at 
(6)(3):P:b:-86-36 least one source, for suspecting that the person using the selection term is associated 
ee witli one of the.terrorist organizations in the BR Order. Sources used to justify RAS 
requests include, but are not liinited-to 


The RAS standard is the same for selection terms 
associated with USPs and foreign persons. 


-FSHSIANE} Analysts electronically submit RAS requests-in[_______]- NSA’s 


RAS selection term management:systém- has required fields for analysts 
_.to-enterFistifications for RAS requests, user nationalities , and user tics to at least one 
.of the terrorist organizations in the BR Order. Analysts save the supporting 
documentation for RAS requests in for review by designated officials. 

i Äs'authorizëd by-the.BR Order, if selection terms are subject to ongoing FISC- 
` authorized electronic surveillance[______] based ona finding of probable 
cause that the selection teriti'isused or about to be used by persons associated with 
one of the identified foreign powers, NSA-may. use the selection terms to query the 
BR metadata without obtaining RAS because probable-cause, a higher standard, has 
already been met. In these cases, entries are still submitted throtigh 
along with supporting documentation, and HMC and possible OGC review (ifa 


selection term is associated with a USP) would also be required. According [ppe 86-36 


(b)(3 PE 86:36: _a majority of the selection terms submitted for RAS ‘approval are derived-from 
LJ 


4 (U//PORO) IF RAS requests are based in part or in whole on NSA SIGINT, NSA performs a purge verification 
check for the selection term when the request is submitted to ensure that the selection term had not been submitted 
for on-demand, retroactive, or reactionary removal of data from NSA SIGINT system repositories. The “purge 
verification” field must be filled out when creating a RAS request and must be conducted no more than 24 hours 
before submission. 
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KH 
(b){(3)-P.L. 86-38 
(b)(3)-50 USC 3024(i)- 


—CESHSHANPY RAS can be met ou on selection terms associated with the terrorist 


organizations listed-i Those would include organizations listed in the 
FISC-approved BR Order or based on IC reporting and determined by NSA’s OGC 
aterrorist_ organization in the FISC-approved 


(6)(3)-Paks-86-36.. 


_~ Only itidivi sign role can maintain the 
terrorist organization list in |__NSA. personnel were assigned this role 
er {PAS}. 6.6 
(b)(1) -sisHapl | which NSA implemented in June 2010, provides the 
(bX3)-P.L. 86-36 = system.-control framework for nominating, justi reviewing, approving, and 
(b)(3)-50 USC 3024) disapproving RAS for selection terms: E built-in safeguards to ensure 
-that RAS approved selection tërms comply with requirements of the BR Order 
(e.g., required-RAS approvals documented, only approved terrorist organizations used 
for RAS, maximum time limits not exceeded for RAS approvals}: ES] also 
serves as the authoritative-source for RAS approved selection terms and exports the 
~~géléétion terms to other systems in the BR control framework. 


P.L. 86-36 
i (U) RAS approval process—2013 


{U/FO66) In 2013, the RAS approval process included certain mechanisms NSA 

used to-determine whether selection terms were associated with one of the terrorist 

organizations in| before BR authorized analysts could use the selection 

terms as seeds to query BR metadata. Consistent with the BR Order, all selection 
(b)(1) terms used as seeds for querying BR metadata were first approved by the S214 Chief 
(b)(3)-P.L. 86-36 


GPON In May 2012, DoJ NSD stated that it was generally acceptable for NSA’s OGC to determine, based 


n p. 
fet In addition, with the condition of RAS being met, NSA can include] 
a DoJ NSD further stated that OGC must revisit those:determinations every six months 


l “bm 
(b)(3)-P.L. 86-36 (b)(3)-P.L. 86-36 
(b)(3)-50 USC 3024(i) 
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or Deputy Chief or one of the 20 specially authorized HMCs. If selection terms were 
reasonably believed to be used by USPs, NSA’s OGC determined whether the USPs 
were regarded as associated with one of the terrorist organizations named in the BR 
Order solely on the basis of activities protected by the First Amendment. Figure 4 
illustrates the RAS approval process in place during 2013. 


(U) Figure 4. RAS Approvals Needed Before Querying BR Metadata in 2013 
(UFese- 


NSA dya seeks ERRES to. query rhe BR foatadatal using the selection term. n oF an fhe 
suspected of being associated with a designated terrorist organization. 


1s there a reasonable articulable suspicion that the individual is associated with a designated ` 


"terrorist organization? 3 2 
: 1 ` Homeland 
` NO & YES s5 {HMC vent 


STOP PROCESS CONTINUE PROCESS 


n Coordinator. 
step. 


n term associated with a U.S. person? 


YES Is the. suspicion ‘of association with a designated terrorist: organization bask 
solely an activities protected by the First Amendment? - : 


NSA Office of Gereral Counsel 
ves > oS o o 


STOP PROCESS CONTINUE PROCESS 


“NSA analyst queries ihe selection term against the BR metadata (a.q., date/time. of. 
number, called number, duration of cal RAAE OES 


After analysis; NSA issues a report if appropriate. 


L.. CONTINUE PROCESS 


b)(3)-P.L. 86-36 


(U/FOUO} Table 15 summarizes the RAS selection terms approved in 2013. 
(b)(1) 
(U) Table 15. 2013 RAS Approvals ees 86-36 
FEHN- (b)(3)-80.USC 3024(i) 


* (U/FOHO) Data includes RAS selection terms that were approved more than once in 2013. 


t (U/FS896) Data only includes unique selection terms approved during 2013; it excludes multiple 
RAS approvals for the same selection terms in 2013. 


(U) HMC review process —2013 


(U/FOEBO> After RAS approval requests are submitted inf automatic 
e-mail notifications are sent to HMCs alerting them that requests are available for 


review. Depending on the ranking assigned to RAS approval requests in| 
reminder e-mails are sent after____ for emergency requests, | for urgent 


“(b)(3)-P.L. 86-36 
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requests, for priority oe a ad =i routine requests. 


HMCS verify that : 


e (UFOO Jüstifications sufficiently and accurately document user ties to the 
-seléction terms submitted for RAS approval; 


organizations~listed-1 


* (U/FOUS) Justifications say support user tics to one of the terrorist 
(b)(3)-P.L. 86-36 

e (U/FOERS) RAS requests are supported by credible source documentation; 

e (UFOO) Source documentation is current and has not been superseded by 


other intelligence; RAS requests contain time restrictions, if selection terms 
are or were associated with users for only a specific and limited time; and 


e (UFS) If SIGINT is used as justification for RAS approval requests, 
analysts performed purge verifications when requests are submitted . 


(U/FE8O} If HMCs determine that the documentation requirements have not been 
met and the RAS standard has not been not satisfied, analysts are notified of 
deficiencies and asked to provide additional information. HMCs denote denied RAS 
requests as “Pending” until adequately documented.in If the 
documentation requirements are.met-and the RAS standard has been satisfied, HMCs 


change the status.of-reqiiests from “Pending” to “Approved” inl dS 

angé logs "BEED documëñt ‘all status changes and edits of the original RAS 
pproval requests by analysts and designated approvers. For oversight purposes, 
change log histories cannot be tee S controls require that OGC 


approve selection terms used by USPs before completing the RAS approval process. 
Figure 5 illustrates the RAS standard. 


(U/FO¥6}Figure 5. RAS Standard 


ow | $ 3 aa 
(b)(3)-P.L. 86-36 Lp 


(b)(3)-50 USC 30241) -_§ =— 


-"(b){(3)-P.L. 86-36 


8 (U Some BR trained and authorized analysts can approve RAS requests and query BR metadata. 
However, system controls prevent persons from submitting and approving their own RAS requests. 
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(U) OGC First Amendment review of seed selection terms associated with 
USPs—2013 


(UFOS NSA is prohibited from establishing RAS ona USP selection term based 
solely on activities protected by the First Amendment. In 2013, RAS requests 
containing selection terms associated with USPs were forwarded to the NSA OGC for 
a First Amendment review: sent automated e-mail notifications to 
designated: OGC attorneys until a First Amendment review was completed. OGC 

ee “reviewed the RAS requests and source documentation, as well as the RAS decisions 

NBP.. 86-36 made by HMCs, and determined whether NSA intended to target individual s based 

oe, “=---golely on activities protected by the First Amendment. Ifthere were indications that 

RAS reqiiésts-were based solely on such activities, OGC would deny the RAS request 
ae (denoted as “Disapprove d” A Once OGC has approved RAS requests 

ith] the selection terms are authorized for use as seeds for querying. 


However, a series of system updates must be completed_before analysts can query BR 
eet metadata using newly..approved..seed-selection-terms: eR) 


(U) Controls for querying BR metadata using only RAS approved seed 
selection terms within the authorized number of hops 


(UEOB C] tracks the status of selection terms and for an “Approved” 
status the expiration of the RAS approval. The BR Order specifies that RAS 

. approvals shall be effective for 180 days for selection terms reasonably believed to be 
used by USPs and one year for all other selection terms. However, NSA, out of an 
abundance of caution, used a more restrictive RAS expiration policy in 2013: 

Le BGEBG— 2 days for selection terms used by USPs and 180 days for selection terms used by 

° foreign péisons:*” is configured to automatically change the status of 

gnp g y E 
RAS selection terms from “Approved” to “Expired” when expiration dates NSA set 
vare exceeded. 


(G ; 
(b)(3)-P.L. 86-36 


[lis the graphical user interface. that analysts use to query data in 
including BR metadata. When launching analysts with 


was reconfigured so that selection terms used by USPs expired in 
173 days and 358 for all others. NSA made this change to avoid burdening the FISC, which began approving RAS 
for selection terms as the President had directed, with more frequent reauthorizations than the BR Order requires. 
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appropriate credentials have the option to include BR metadata in their queries, If 


W analysts ‘setect the! 
(b)(3)-P:L:; 86-36 


—CESHSHANF} When in thel____|modeoff_] analysts may only use a RAS 
approved selection term to query BR metadata. The term used to initiate a query of 
BR metadata is referréd to as a seed because it is used to produce a “chain” of 
metadata contacts, known_as contact chaining. When analysts submit seed selection 

-terms for querying using] another eel middleware called 

™ the Emphatic Access Restriction (EAR) checks whether the selection terms appear as 

-- “Approved” in 1 a SPE The EAR, through internal software 

„System controls;ensures that contact chaining is restricted to seeds that are RAS 
approved by preventing non RAS approved selection terms from being used as seeds 

_ for conducting..call chaining analysis of BR metadata in (e.g., expired, 

“decommissioned, disapproved selection terms, terms that have never been entered 
intol sd If selectién-terms submitted by analysts for querying of BR 
metadata appear as “Approved” in ml tables, the EAR allows 
queries to perform. The EAR prevents queries from performing when the selection 
terms do not appear as “Approved.” 


(U/FOEBC,) In 2013, the EAR software system controls also restricted the number of 
hops to three from the seed for contact chaining, as the BR Order authorized. ”” 
However, if analysts , after reviewing the first two hops results wanted to perform 
contact chaining out to a third hop from the seed selection term, SID policy required 
that they first obtain S2 division management approval. NSA relied on analysts to 
comply with SID policy—no system contro! was in place to prevent analysts from 
querying out to three hops without S2 division management approval. 


(U/FOEO} To understand how contact chaining was performed and the system 
controls implemented by the EAR to only allow querying using RAS approved seeds 
and within three hops of the seed selection term in 2013, it is helpful to review an 


i; example. 

(BJJ rn . 3 

(b)(3)-P.L. 86-36 ASASTARER-FO-USAS FYEX Seed selection term A—reasonably believed to be used by 
a foreign person 
was RAS approved by an . No First Amendment review was required because 


selection term A oe secd) was not used by a U.S. person. The analyst entered selection 


__term.A-into; to perform contact chaining analysis one hop from the seed. The 
_.EAR.automatically-checked i ae tables to determine whether 


(BR ietadata) with only RAS approved-selection terms: After] release 
in June 2010, the EAR was reconfigured to use data ‘fro to prevent quéties in| using 
selection terms that were not RAS approved, including USP selection terms that OGC had not reviewed . 


PSH ASES On 29 January 2014, NSA modified the EAR software system controls to reduce the number of hops 
from the seed to two to comply with the President’s directive of 17 January 2014. 


—FOR-SECREFATANOFORA- 
31 


DOCID: 4273474 


—-TeP-sEERETISHNEFORA- © (PIG)P-L. 86-36 
J ST-14-0002 


selection term A was RAS approved. Because it showed as RAS approved, the EAR 
allowed the query of BR metadata wW F First hop queries returned all 


üa tes : : 
is ae L. 86-36 ~~~-seleetion terms available in the BR repository (and associated metadata) that had a 
(b)(3)-18 USC 798 contact or connection with the seed. 


(b}(3)-50 USC 3024(i) 


If the analyst tried to query beyond the 
op or query using a selection term that had not been RAS approve d, the EAR 
would have prevent ed the action. 


(U) EAR bypass 


—FFSHSTANF) Because it can tk OOS] for system updates to complete 
___wweebefore-aRAS ‘approved selection term can be used for querying BR metadata, an 
(b)(1) ay EAR bypass was implemented for emergency situations. If an analyst, with a RAS 
(b)(3)-P.L. 86-36 approved seed selection term and $214 management approval, determines that 
immediate querying of BR metadata using the RAS approved seed selection term is 
necessary to obtain time-sensitive results to respond to an emergency, S214 informs 
designated OGC, SV, and ODOC personnel of its intention to bypass the EAR 
software system controls. After this notification, S214 management contacts the 


[team requesting that designated analysts be temporarily added to the 
-{___......fuser.group if] This allows the analysts to select the 


bypass-option-in[| | thereby bypass ing the EAR software system controls for 
hop.restrictions and checks of RAS selection terms against-th 
tables: Analysts , ‘with-manual checks by direct on-site supervisor oversight, ensure 


that quéties performéd’ in-the bypass mdde-do-not.exceed three hops (before 
17 January 2014) ör two. hops (on and” after.17. January 2014) -Thi team 
„is notified when the analysts should _be removed fron the user group 


in immediately following NSA’s.response to an emergency situation or 
after normal system updates have completed to allow’querying using the RAS 
approved selection terms, No NSA personnel were included Bo e 
user group 


(U) Querying by trained and authorized technical personnel for testing 
purposes only 


SASHA The BR Order allows authorized NSA technical personnel to access the 


BR metadata, including through queries, to make it usable for intelligence analysis. 
This includes performin 


and maintaining records to demonstrate compliance with the BR Order. However, 
technical per sonnel G not share the results of these queries with analysts. Tests. of 


jas the BR Order allows. 
Only a limited number of technical personnel, who appear in ee 
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user group iol id can query BR metadata using non RAS approved selection 
_-terms in operational databases... The user group is used only by 


ee _technical personiiél: SV audits all queries performed using query tools by technical 
~~~" __ and mission personnel to ensure compliance with the BR Order. [__Jauthorized 
86-36 Asset ersonitiel swereirtkel | user-group[ | 


(U) RAS approval process—2014 


“CFSASTANE) On 17 January 2014, the President directed that NSA implement 
changes in how it operates the BR FISA program: NSA must submit selection terms 
to the FISC for RAS approval and limit contact chaining to two hops from the seed 

selection terms. Before 17 January 2014, RAS selection terms were approved by the 

S214 Chief or Deputy Chief or one of the twenty authorized HMCs, as the BR Order 

required,.and.contact.chaining..was-allowed. out-to-three-hops- 


(by) 
(b)(3)-P.L. 86-36 


As an added measure, on 23 January 2014;all] [RAS selection 

terms in an “Approved” status were changed to “Revalidate” in a 
, ; or (b)(3)-P.L. 86-36 

(U/FOO) In the weeks following the President’s directives, through a motion to 

amend BR Order 14-01 the FISC approved on 5 February 2014, the following : 


(U) The government may request, by motion and on a case-by-case basis, permission 
from the Court for NSA to use specific selection terms that satisfy the RAS standard as 
“seeds” to query the BR metadata to obtain contact chaining information, within two 
hops ofan approved “seed,” for purposes of obtaining foreign intelligence information. 
In addition, the Director or Acting Director of NSA may authorize the emergency 
querying of the BR metadata with a selection term for purposes of obtaining foreign 
intelligence information, within two hops of a “seed,” if: (1) the Director or Acting 
Director of NSA reasonably determines that an emergency situation exists with respect to 
the conduct of such querying before an order authorizing such use ofa selection term can 
with due diligence be obtained; and (2) the Director or Acting Director of NSA 
reasonably determines that the RAS standard has been met with respect to the selection 
term. In any case in which this emergency authority is exercised, the government shall 
make a motion in accordance with this amendment to the BR Primary Order to the Court 
as soon as practicable, but not later than seven days after the Director or Acting Director 
of NSA authorizes such query. 


(U/AFOGO) In response to these new requirements , the NSA BR control framework 
changed: 


+ (U/E¥O5 RAS approvals submitted to the FISC NSA no longer 
approves RAS for selection terms, except in emergency situations. HMCs or 
_ the S214 Chief or Deputy Chief previously approved RAS. They now perform 


selection terms were in an “Approved” status in| 
selection terms had expired, and 
the.remaining, 


automatically changed 
election:terms’still in an 


status from “Approved” to “Revalidate.”. 
“Approved” status were changeéd-to “Revalidate” in| 


(b)(3)-P.L. 86-36 
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only first level reviews to determine whether RAS requests are adequately 
documented and supported by creditable source documentation in 
Analysts follow the same preliminary procedures as before for 


determining whether selection terms are used by persons who are reasonably 


(b)(3)-P.L. 86-36 


(b)(SHP:L: 86-36, 


3 U; 


in 


believed to be associated with one of the terrorist organizations listed in the 
BR Order and for documenting RAS requests i momenta After reviewing 
the supporting documentation,- HMCS send RAS requests back to analysts to 
make additional--chatiges (as needed), deny RAS requests, or formally endorse 
them: Only RAS requests endorsed by HMCs are. submitted Ee to 
OGC. for-second-tevel review (regardless of whether selection terms are used 
by USPs or foreign persons). 


(U/FOE86) OGC no longer officially performs First Amendment reviews of 
selection terms used by USPs for non-emergency RAS requests; the FISC 
performs those reviews. OGC now performs second level reviews of RAS 
requests, source documentation, and endorsement decisions by HMCs to 
provide greater assurance that the FISC will not reject RAS requests because 
of insufficient documentation or First Amendment concerns (for selection 
terms used by USPs). OGC reviews HMC endorsements during RAS 
verification meeting s, at which HMCs present evidence supporting the RAS 
justifications for review by SV, OGC, and the S2 Declarant (usually the $214 
Chief or Deputy Chief) who signs the eventual motions seeking FISC 
approval of the selection terms. This group (known as the “RAS verification 
panel”), chaired by SV, confirms that representations in RAS requests are 
accurate. If the RAS verification panel endorses the RAS requests, OGC 
submits them to DoJ NSD for review and submission to the FISC for 
approval. At each level of review by HMCs, OGC, the RAS verification 
panel, and DoJ NSD, all questions, concerns, and requests for additional 
information must be satisfied before DoJ NSD submits the requests to the 
FISC. 


¢ESHSHANE The FISC makes the final determination of whether the RAS 
standard has been met for each request and notifies DoJ NSD ofits decision to 
approve or disapprove requests. After OGC has been notified by the DoJ 
NSD of the FISC decision, OGC enters the date of the decision, saves the 
supporting court documentation, and updates the dispositions of RAS requests 
(les *hapivied? or “Disapproved.” °! FISC approvals are 

effective for 180 days for selection terms used by USPs and one year for all 
others. However, NSA established slightly more conservative expiration s in 

173 days for selection terms used by USPs and 358 days for all 
others. Figure 6 illustrates the non-emergency RAS approval process. 


is the system of record for storing documents relating to NSA authorities, including BR 


Orders for the BR FISA authority. 


-FOP-SEGCREFASH NOFORI- 
34 


DOCID: 4273474 
TOP-SECRET SEHNGFORI- 
ST-14-0002 
(U) Figure 6. Non-Emergency RAS Approval Process 
(UPPODOT: 


(b)(3)-P.L. 86-36 


UFen 


e (UFO Emergency RAS approvals Under the BR Order, the NSA 
Director (DIRNSA) or Acting DIRNSA can approve RAS for selection terms 
for querying BR metadata within two hops of the seed selection term only 
after the RAS standard has been met and only when responding to 
emergencies. When submitting a RAS request for emergency approval, 
analysts document the request and justification for emergency approval in 

z fal An HMC performs a first-level review and requests additional 

information from the analysts (as needed) and denies or endorses the 

emergency RAS request. If the HMC endorses, the RAS verification panel is 
immediately convened to review the supporting documentation and 

justification for requesting cmergency approval. Ifthe RAS request contains a 

selection term used by a USP, OGC performs a First Amendment review to 

determine that the basis for secking RAS is not solely based on activities 
protected by the First Amendment. Ifthe RAS verification panel concurs with 

i the HMC’s endorsement and OGC concludes that there are no First 


(b)(3)-P.L. 86-36 


i „OGC wi brief the DIRNSA or Acting DIRNSA, who determines whether an 
emergency situation exists, and the RAS standard has been met, and the RAS 
determination is nét-kased solely on First Amendment protected activities. 
(U/FOO).[f the DIRNSA-or Acting DIRNSA approves the emergency RAS 
request, OGC saves the approval-documentation and changes the disposition 
of the RAS request-to “Approved” iif Jand notifies DoJ NSD of the 


` emergency RAS approval. Ifimmediate querying is required, $214 
“coordinates adding the designated analysts to E user group 
inL__|(see Querying section for EAR Bypass procedur es). Otherwise, 
the designated analysts must >| | for a series of system 
updates to complete before querying BR metadata using the 
emergency -approved selection term. 


(U//F@UC.) The BR Order requires that, within seven days of the emergency 
RAS approval, DoJ NSD file a motion with the FISC on behalf of NSA 
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concerning the emergency authorization. Ifthe FISC grants the motion, OGC 
enters the date the FISC approved the RAS request and records the supporting 
court-documentation-in________] If the FISC denies the motion, NSA will 
take remedial action, including actions the FISC has directed. Figure 7 
illustrates the emergency RAS approval process. 


(b)(3)-P.L. 86-36 


(U) Figure 7. Emergency RAS Approval Process 


(UHPede: 


°° (b)(3)+P.L. 86-36 


(UiFSGE 


C7 the DIRNSA approved the first 


5 and only selection term for emergency querying since receiving this new 
(b\(3)-P.L:86-36 mandate from the FISC on 5 February 2014. A motion was filed with the 


~--FISC within seven days of the DIRNSA’s approval of the emergency RAS 
request: fa] the FISC approved RAS for the selection term. 


« (U/FO8O5 Two-hop restriction for contact chaining On 29 January 2014, 
NSA modified the EAR software system controls to restrict contact chaining 
to two hops from seed selection terms as the President had directed. Before 
17 January 2014, authorized NSA analysts could query BR FISA repositories 
two hops from seed selection terms and one additional hop (three hops from 
seed selection terms) with S2 division management approval. 


(U) Table 16 summarizes the provisions of BR Order 13-158 for querying BR 
metadata and the controls NSA implemented to maintain compliance. 
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(U) Table 16. Querying Provisions and Controls 


(UFOS 


ontrols ensured that one of the 
22 designated approving officials approved RAS for 
selection terms and, if used by USPs, OGC performed 
a First Amendment review.Selection terms were 
added to the RAS Approved List only after the 
required approvals were documénted inj 


[__Istores supporting documentation for 


ae RAS: it also-maintains_ the authoritative J stor of 


EAR restricts contact chaining to only ‘those seeds 
that are RAS approved by preventing all non RAS 
approved selection terms (@:g., expired, disapproved) 
from being used as seeds for conducting contact 
chaining. 


Seed selection terms must be approved by 
a designated approving official and also 
reviewed by OGC, if the selection term is 
used by a USP, before querying BR 
metadata for intelligence analysis 
purposes. 


Approvals shall be given only after the 
designated approving official has 
determined that there are facts giving rise 
to RAS that the selection term to be 
queried is associated with a Foreign 
Power. 


. 86-36 


NSA shall ensure, through adequate and 
appropriate technical and management 
controls, that queries of the BR metadata 
for intelligence analysis purposes will be 
initiated using only a selection term that 
has been RAS approved. 


RAS approvals must not exceed 180 days 
for selection terms reasonably believed to 
be used by a USP and 365 days for all 

other selection terms. 


a automatically changes the status of RAS 
approved selection terms from “Approved” to “Expired” 
when expiration dates set by NSA are exceeded. In 
2013, expiration dates were set for 90 days for 
selection terms associated with USPs and 180 days 
for all others.* 


In 2013, the EAR limited the number of hops to three 
from the seed selection term for contact chaining.° 


Results of contact chaining queries must 
not exceed three hops from seed selection 
terms. 


Technical personne! may query the BR 
metadata using selection terms that have 
not been RAS approved to perform 
processes needed to make it usable for 
intelligence analysis. 


* (U/FORO) On 26 February 2014, NSA began sending RAS requests to the FISC for approval to 
comply with the President's directive of 17 January 2014. On 28 February 2014, the FISC approved 
RAS for a selection term under this new process, and NSA began the process of manually entering 
into the dates that the FISC approved RAS for selection terms. ee updated 
to require that FISC approval dates be inputted into it before adding selection erms to the RAS 
Approved List. 


t (UFS) The EAR relies on RAS approved selection terms to be ‘accurately entered by 
authorized personnel, manually nie] In 2014, NSA discovered instances of RAS 
approved selection terms that were inaccurately entered into by authorized personnel. In 
response, NSA implemented _a two-person review for accuracy of RAS approved selection terms 
manually entered int a 

+ (UIFOYQ) the expiration dates in id were changed to 173 days for 
selection terms used by USPs and 358 days for al others. 


dag ee system controls were modified to limit the 
number of hops from seed sele 


‘to comply with the President's directive from 17 
January 2014. 


SV reviews all query records for compliance with the 
BR Order. 


(b)(3)-P.L. 86-36 
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(U) Sharing and Dissemination 
(U) Provisions of BR Order 13-158 


(U/FEUO} Sharing Results of intelligence analysis querics of BR metadata may be 
shared, before minimization, for intelligence analysis among NSA analysts, subject to 
the requirement that all NSA personnel who receive query results in any form first 
receive appropriate and adequate training and guidance regarding the procedures for 
handling and disseminating such information. 


(U/FEGO) Dissemination NSA shall apply the minimization and dissemination 
requirements and procedures of Section 7 of U.S. Signals Intelligence Directive 
(USSID) SP0018 to any results from queries of the BR metadata, in any form, before 
the information is disseminated outside NSA in any form. In addition, before 
disseminating USP information outside NSA, the DIRNSA , the Deputy Director, or 
one of the officials listed in Section 7.3(c) of USSID SP0018 (i.e., Director of SID, 
Deputy Director of SID, Chief of Information Sharing Services (SIS), Deputy Chief 
of S1S, and the Senior Operations Officer of the National Security Operations Center) 
must determine that the information identifying the USP is related to CT information 
and it is necessary to understand the CT information or assess its importance (“CT 
nexus”). Approximately every 30 days, NSA shall file with the Court a report that, 
among many things, includes a statement of the number of instances since the 
preceding report in which NSA has shared, in any form, results from queries of the 
BR metadata that contain USP information, in any form, with anyone outside NSA. 

)(3)-P.L. 86-36 

~.(U) Sharing BR-unique information with authorized NSA personnel 


~CFSHSHASFY NSA refers to “sharing” as providing query results internally to 
appropriately ‘trained and authorized NSA personnel. Sharing restrictions in the BR 
Ordér.only apply to BR-unique query results of a USP. “BR unique” is a term used 


‘by NSA"that refers to contacts within a chain solely derived from BR 
^ metadata Oral 
> or written depictions, manipulations, and summaries are also query results. ess 


^ already included in a-disseminated report, BR-unique query results containing USP 
information are only shared with individuals who have tid eedenial BR 


stakeholders manually check[ | to confirm that recipients have 

before sharing BR-unique USP intormation, in any form. BR stakeholders also’ 
ensure that documents or files containing BR-unique USP information are only stored 
in access-controlled, personal or shared network locations accessible only.to BR- 
cleared ‘personnel and that BR-unique results containing USP information displayed 
in the workplace are not visible to analysts who do not have} 7 {b)(1) 


-P.L. 86-36 
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(b)(3)-P.L. 86-36 
(U) Disseminating BR-unique information 


(U) Dissemination is the sharing of information outside NSA. The BR Order includes 
two provisions for disseminating information: the CT nexus requirement and the 
dissemination tracking requirement. 


-e (UFOS CT Nexus Requirement The CT nexus requirement applies only 
to disseminations of BR query results containing USP information. The 
dissemination provisions of Section 7.3(c) of USSID SP0018 must be 
followed. If query results include USP information unique to BR metadata 
and the analyst needs to disseminate that information to an external customer, 
such as the FBI, then the CT nexus requirement must be met before 
disseminating information in any form. However, if query results contain 
only foreign person information, the CT nexus requirement does not apply 
when disseminating BR information. The remainder of this section focuses on 
disseminating USP information derived from BR-unique metadata. 


-CFSHSIANE) In accordance with USSID SP0018, ifunminimized USP 
information is to be disseminate d, one of the designated approval authorities 
must determine that the information is necessary to understand the foreign 
intelligence in the report before the information is released. This applies to all 
disseminations of unminimized USP information under all NSA authorities. 
The BR Order further requires that one of the approving authorities confirm 
that the information identifying a USP also relates to CT information and is 
necessary to understand the CT information or assess its importance. S1S 
stated that most disseminations of USP information derived from BR metadata 


(b)(3)-P.L. 86-36 
(b)(3)-50 USC 3024(i) 


7 and other disseminations (e.g., oral briefings to recipients 
external to NSA, such as the FISC, who are not receiving the information as 
part of thcir lawful cxceutive or legislative oversight function). 


ao (ev hreports are used to disseminate SIGINT information 
that responds to special IC réqitirements 


(U//FOCGy There are two categories of BR disseminations : Published 
ee A 


disseminated in a limited distribution to customers empowered to act on 
the information and to additional customers who have an operational need- 
to-know (e.g., FBI, NCTC, Central Intelligence Agency (CIA), Office of 
the Director of National Intelligence (ODNI)). 
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o (U/FFEHO) RFIs are requests by customers (e.g., FBI) for information 
from NSA. RFls arc usually requests requiring one-time, specific 


responses. 


are-SIGINT-. reports..that.gencrally. focus on one 


(6)(3)-P.L. 86-36 


varicty of collection authorities to a wide audience: However, 
are not used to disseminate USP informatiofi unique to BR metadata 


(U//FE8O+ After one of the approving authorities listed in Section 7.3(c) 
of USSID SP0018 has approved the dissemination, if USP information 
unique to BR metadata is included-in-a it is usually combined 
--with information from other collection authorities to provide a more 
- complete. intelligence summary. Otherwise, NSA masks the identities of 
USPs mentioned 7 a Co USP1); so that’ the} can be 
distributed widely and sends separately an Identities Release 
an Memorandum only to those parts of the IC that need to know the person’s 
~ identity.” Only those recipients within the IC who receive both the 
nt Identities Release Memorandum can determine the USP 
identity , and then only after submitting a formal justified request that has 
been approved by one of the officials listed in Section 7.3(c) of USSID 
SP0018. 


(UFB) Dissemination of BR information occurs most often in| 

reports. S1S stated that, even when NSA disseminates itiformation using 
RFs, corresponding- reports follow to formally document the 
dissemination’. This allows the information requested by one IC customer, 
but importatit’to other IC customers, to be released through a slightly wider, 
albeit highly controlled, distribution. Table 17 summarizes the BR reports 


bd aes disseminated in 2013. 
(6)(3)- P.L. 86-36 


? (U/POUO) Masking is the process of using generic identification terms in place of USP names, titles, or 
cones identifiers so that the person’s identity is not revealed in written or oral disseminations. 


aTa $214 confirmed that all RFIs containing BR-unique information have been followed up a] 


reports 
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(U) Table 17. BR Reports Disseminated in 2043 (b)(1) 
of (b)(3)-P.L. 86-36 


BR Reports Dissef 


Total Sélection Terms 
Reported (Derived from BR 


Ld 
Total BR Unique Selection 
Terms Reported? 


(b)(3)-P.L. 86-36 Total U.S. Contacts s 
ane Reported? ae 


(ey) 


* There werel — Jädditional disseminations in oral presentations. The NSA Director briefed 
[~~~ Soa NSA made a presentation to 
the FISC) ħi 


FHS 


(U/FFOGCF The S1S Chief or Deputy Chief, two of the approving authorities 
designated in USSID SP0018, reviews the majority of the requests for 
disseminating USP information for all NSA authorities, including those 
unique to BR. Dissemination requests are approved usually the day they are 
received. Senior Operations Officers (SOO) in the National Security 
Operations Center (NSOC) are also authorized approvers for disseminating 
USP information and typically review and approve dissemination requests 
submitted after hours or in emergency situations . 


U//FEve) 


(yap: 86-36- 


(U/ IS maintains disseminatëd reports{_____ |] 
signed in an access-controlled $18 network folder. Disseminations 


approved after hours by the SOOs are formally documented, normally the 


(b)(3)-P.L. 86-36... 


{b)(3)-50 USC 3024(i) 
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following business day, bys S1S. The NSOC Senior Reporting Officer notifies 


(U/#OUO, Oral.briefings that include USP information derived from BR- 
unique metadata to officials outside NSA occur less frequently. Normally, 
these briefings are provided by-NSA leadership who are approving authorities 
for disseminating USP information utider. USSID SP0018. All other BR 
stakeholders coordinate approvals with one of the im authorities before 


presenting information outside NSA. The CT division tracks oral 
briefings only, and SIS and S214 track all disseminations of USP information 
(published and oral), which are included in the 30-day reports filed with the 
FISC, as the BR Order requires. 


© -FSHSEAND Dissemination Tracking Requirement The second provision 


(byt). 
(b)(3)-P.L: 86-36. 


of the BR Order that applies to USP information is the dissemination tracking 
requirement regarding BR-unique information. NSA tracks and reports to the 
FISC every instance in which NSA disseminates USP information derived 
from BR metadata. *° Approximately every 30 days, OGC requests from S18 
and S214 the number of disseminated reports containing USP information 


-derived from BR-unique metadata for input into the 30-day reports filed with 


Although no longer required to track disseminations of foreign 
person information, S214 continues to track all disseminations_of BR-unique 
information. Disseminations were tracked manually until] =| NSA’s 
corporate dissemination tracking tool, was implemented 


Since then, all disseminated_reports containing BR-unique information have 
been tracked in ompleted the upload of 
L kurrent and past BR disseminations into aan 


(b)(3)-P.L. 86-36 


(U/O6} Table 18 summarizes the provisions of BR Order 13-158 for sharing and 
disseminating information derived from BR query results and the controls 
implemented by NSA to maintain compliance. 


5 SHSHANES Since 3 September 2009 (BR Order 09-13), NSA has been exempt from reporting in the 30-day 
reports to the FISC BR disseminations to the executive branch for oversight. On 3 January 2014 (the date the FISC 
approved BR Order 14-01), this reporting exemption was further extended to include BR disseminations to the 
legislative branch for oversight. 
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TSS 


(U) Results of intelligence analysis queries 
of the BR metadata may be shared, before 
minimization, for intelligence analysis 
purposes among NSA analysts, subject to 
the requirement that all NSA personnel 
who receive query results in any form first 
receive appropriate and adequate training 
and guidance regarding the procedures ~ 
and restrictions for handling and 
disseminating such information. _ 


iba) 
(b)(3)-P.L. 86-36 


(U) Before disseminating USP information 
outside NSA, the NSA Director, the 
Deputy Director, or one of the officials 
listed in Section 7.3(c) of USSID SP0018 
must determine that the information 
identifying the USP is related to CT 
information and that itis necessary to 
understand the CT information or assess 
its importance . 


(U) Approximately every thirty days, NSA 
shall file with the Court a report that among 
many things includes a statement of the 
number of instances since the preceding 
report in which NSA has shared, in any 
form, results from queries of BR metadata 
that contain USP information, in any form, 
with anyone outside NSA. 


overseers. 


FISC. 


tool, to confirm that recipients have} before 
sharing BR-unique que 


(U/H-GHO) One of the designated approvers (usually 
the S1S Chief or Deputy Chief) verifies that the CT 
nexus has been met before disseminating USP 
information in any form. The approving 
documentation is independently maintained by S1S for 
internal recordkeeping and for external review by 


(UFOS) S1S and S214 independently track the 
number of disseminations since the preceding report 
in which NSA has shared, in any form, results from 
queries of BR metadata that contain USP information, 
in any form, with anyone outside NSA. ST tracks oral 
disseminations only. This data collectively is provided 
to OGC for input into the 30-day reports filed with the 


(U) Table 18. Sharing and Dissemination Provisions and Controls 3).p Poe 


BR stakeholders manually check 
NSA's corporate authorization services 


results of a USP, in an 


(U) Retention 


(U) Provisions of BR Order 13-158 


(U) The BR Order requires that BR metadata be destroyed no later than five years 


(60 months) after its initial collection. 


(U) NSA’s BR age-off process PAIRA ee 


—CESASTANF) To remain compliant with the five 
completed its first BR age-off] [May 2011. 


ear retention requirements, NSA 


{bin 
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(b)(1) 


(b)(3)-P.L. 86-36 (U/AF@E} Based on guidance from OGC, BR retention compliance is determined 
using the date when records are received from providers, not the call communication 
date. 


e (U/FOUC) Record receipt date is the date on which providers electronically 
deliver BR metadata to NSA. 


° (U/FO¥6) Call communication date is the date on which a telephone call is 
made from one selection term to another.*® 


(U) Timing differences with call communication dates and record receipt dates 


(BVA) 
(b)(3)-P.L. 86:36 
(b)(3)-18 USC 798 
(b)(3)-50 USC 3024(i 
` Because of these differences, NSA tracks record receipt dates for 
BR metadata to document compliance with the BR Order. 


(b)(1) 
(b)(3)-P.L. 86-36 
(b)(3)-50 USC 3024( 


(U) Quarantine process 


öm 

(b)(3)-P.L. 86-36 
(b)(3)-18 USC 798 
(b)(3)-50 USC 3024(i 


37 (U/POHOS In September 2013, the DoJ Civil Division directed NSA to preserve all records relating to the 
collection of BR metadata under the BR FISA program as a result of civil lawsuits against NSA. To comply with 
the preservation order, NSA did not age-off data with record receipt dates exceeding 60 months in 2014. This data 
was saved in partitions within NSA system repositories inaccessible to analysts. 


38 (U) Selection terms also refer to identifiers used in dialed number recognition (e.g., telephone numbers). 
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b){}) 
(b)($)-P.L. 86-36 


(U/FFOUE) Table 19. 2013 BR Age -Off Procedures 


(b)(1)__ 
(b)(3)-P:L.. 86- 


(U) Changes that affected the 2014 age-off 


(U//F686) In September 2013, DoJ’s Civil Division directed NSA to preserve all 
records relating to the collection of BR metadata under the BR FISA program asa 
result of civil lawsuits against NSA. This affected the age-off performed during 
2014: BR metadata that would have been aged off to comply with the BR Order was 
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retained to comply with the preservation obligation. This data was saved in partitions 
within NSA system _repositor ies inaccessible to analysts.- 


ae (U/#OHO) On 12 March 2014, the FISC granted the government’s motion for 
(byt) D temporary relicf from the five year destruction requirement pending resolution of the 
(b)(3)-P.L. 86-36 “preservation litigation filed by plaintiffs. As permitted by the BR Order, analysts 
continue to accéss’for-intclligence purposes ie = ol repository that contains 
BR metadata received on or after hel poio retention cutoff date usiñig o 
RAS approved selection terms. oea. oe 


(y(t) 
(b)(3)-P.L. 86-36.. 
(b)(3)-50°USC 3024(i) 


a) 
(b)(3)-P:Ł. 86-36 
(b)(3)-50 USC:3024{i) 
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4CHREETOUSAPYE) Table A SYD 
(b)(3)-P.L. 86-36 


(before and after data comparison) 


(UFOS Table 21 summarizes the provision of BR Order 13-158 for retention and 
the control implemented by NSA to maintain compliance. 


(U) Table 21. Retention Provision and Control 
(U/FOUO) 


BR Metadata must be destroyed no later than five | See Table 19 for the procedures performed to 
years after its initial collection. age-off BR metadata to comply with the BR 
Order in 2013. 


(UIFOHO} 


(U) Oversight 
({U) Provisions of BR Order 13-158 


(U) NSA’s OGC and ODOC will ensure that personnel with access to BR metadata 
receive appropriate and adequate training and guidance regarding the procedures and 
restrictions for collection, storage, analysis, dissemination , and retention of the BR 
metadata and the results of queries of the BR metadata. NSA’s OGC and ODOC will 
further ensure that all NSA personnel who receive query results in any form first 
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receive appropriate and adequate training and guidance regarding the procedures and 
restrictions for handling and disseminating such information. NSA will maintain 
records of all such training. OGC will provide DoJ NSD with copies of all formal 
briefing and/or training materials (including all revisions) used to bricf/train NSA 
personnel concerning this authority. 


(U) NSA’s ODOC will monitor implementation and use of the software and other 
controls (including user authentication services) and the logging of auditable 
information referenced in the previous paragraph. 


(U) NSA will ensure that an auditable record is generated whenever BR metadata is 
accessed for foreign intelligence analysis or accessed using foreign intelligence 
analysis query tools. 


(U) NSA’s OGC will consult with DoJ NSD on all significant opinions that relate to 
the interpretation, scope, and/or implementation of this authority. When 
operationally practicable, such consultation will occur in advance; otherwise, DoJ 
NSD will be notified as soon as practicable . 


(U) At least once during the authorization period, NSA’s OGC, ODOC, DoJ NSD, 
and any other appropriate NSA representatives will meet for the purpose of assessing 
compliance with the Court’s orders. Included in this meeting will be a review of 
NSA’s monitoring and assessment to ensure that only approved metadata is being 
acquired. The results of this meeting will be reduced to writing and submitted to the 
Court as part of any application to renew or reinstate the authority . 


(U) At least once during the authorization period, DoJ NSD will meet with the NSA’s 
OIG to discuss their oversight responsibilities and assess NSA’s compliance with the 
Court’s orders. 


(U) At least once during the authorization period, NSA’s OGC and DoJ NSD will 
review a sample of the justifications for RAS approvals for selection terms used to 
query the BR metadata. *° 


(U) NSA oversight 
(U/FEO} In addition to the oversight requirements listed in the BR Order, NSA 


performs additional oversight, not required in the Order, to ensure compliance. The 
organizations and the oversight performed are described next. 


(U//F8885 BR FISA Authority Lead is the focal point for the BR FISA program 
within SID, reporting to the CT Associate Deputy Director, who reports to the SID 
Director. The BR FISA Authority Lead’s responsibilities include: 


“© (U/BOUS As of 28 March 2014 (BR Order 14-67), the FISC no tonger required OGC and DoJ NSD to conduct 
periodic reviews of RAS approved selection terms. The government sought this change asa result ofthe President’s 
directive of 17 January 2014 that NSA submit selection terms to the FISC for RAS approval. 
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°- (U/FOEUS) Chairing weekly BMD meeting 


¢ (UFOO) Ensuring appropriate program direction and proper program 
functioning 


e (UFOS) Signing NSA’s declarations to the FISC during renewal and 


* (U/FEO) Ensuring that the BR authority is used as described in the BR 
Order. 


(U/FOEHO3 Weekly BMD meetings are held to discuss BR FISA program activities 
to ensure compliance with the BR Order. They include representatives from OGC, 
ODOC, TV, SV, GTO, DIAs, TD, Counterterrorism Production Center (821), OIG, 
and other organizations involved in the BR FISA program. Agendas and notes are 
maintained for each meeting. 


(U/FOS) Authorities Integration Group (AIG) reports directly to the Deputy 
DIRNSA. The AIG works directly with SID and Information Assurance Directorate 
authority leads, including the BR FISA Authority Lead, and holds weekly meetings 
with the authority leads and corporate process leads (e.g., TD, ODOC, OGC). 


(U/#@UO} The AIG focuses on the activities for each authority, both internal and 
external, to ensure that they are coordinated and integrated across NSA. The AIG 
acts as a “forcing function” within NSA, facilitating discussion among the 
Directorates to promote a better understanding of how decisions affect the various 
authorities. The AIG updates the Deputy DIRNSA quarterly on each authority. 


(U) ODOC In 2009, NSA created the position of Director of Compliance to improve 
the Agency’s ability to keep NSA’s activities consistent with the laws, policies, and 
procedures designed to protect USP privacy during SIGINT and information 
assurance missions. ODOC has specific functions with the BR FISA program 


- outlined in the Order. The Assistant Director for Special Compliance Activities is 


ODOC’s representative to the BR FISA program. Some of ODOC’s responsibilities 
include: 


e (U) Involvement in all decisions related to the program, 

e (U) Participating in weekly BMD meetings, 

e (U) Updating BR FISA program training material, 

+ (U) Participating in quarterly compliance meetings with DoJ NSD, and 
e (U) Leading the verification of accuracy (VoA) process. 


(U/FE6) The BR FISA program has been designated a special compliance activity 
(SCA) since 2009, that is, an NSA mission activity determined to require additional 
tailored compliance safeguards to ensure the protection of USP privacy. When an 
activity is identified as an SCA, ODOC becomes active in all aspects of implementing 
the SCA until it is determined that it is sufficiently underpinned by the 
Comprehensive Mission Compliance Program and significant risks have been 
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mitigated. The Comprehensive Mission Compliance Program provides a framework 
and strategy to organize, govern, and resource compliance activities across NSA. 


(U/FOY9 An activity may become an SCA when: 


e (U//FE¥6) NSA’s external overseers (e.g., DoJ NSD, FISC, Congress) have 
a heightened sensitivity about an activity or the means by which NSA is 
executing an activity; 


e (U//FEUC} NSA’s legal, policy, compliance, or oversight elements determine 
that an activity requires attention to understand the application of compliance 
measures and potential risks; or 


* (UFOS) NSA identifies an activity or process that may be out of sync with 
oversight and compliance regulations and policies, thus making NSA 
vulnerable to compliance incidents. 


(U/FOHO} Recognizing the critical importance of the completeness and accuracy of 
documentation filed with external entities, ODOC developed line-by-line accuracy 
procedures, known as VoA. These procedures provide greater assurance that the 
representations NSA made to external overseers are accurate and based on a shared 
understanding among operational, technical, legal, policy, and compliance officials. 
NSA uses the VoA process during the application process to the Court when 
requesting renewal of the BR Order. 


(U/FEBO) OGC has specific functions with the BR FISA program outlined in the 
Order. One requirement is that the OGC consult with DoJ NSD on all significant 
opinions that relate to the interpretation, scope, or implementation of the authority. 
The lead OGC BR attorney, assigned from January 2013 to September 2014, stated 
that OGC consults with DoJ NSD on all significant opinions. OGC saves all 
correspondence discussing significant legal opinions with DoJ NSD in an access- 
controlled network folder. 


(U/FOYS In 2013, NSA OGC met with DoJ NSD at least once during each BR 
authorization period to review a sample of the justifications for RAS approvals for 
selection terms used to query BR metadata. However, as of 28 March 2014 

(BR Order 14-67), the FISC no longer required OGC and DoJ NSD to conduct 
periodic reviews of RAS approved selection terms. The government sought this 
change as a result of a January 2014 presidential directive under which NSA began 
submitting sclection terms to the FISC for RAS approval. 


(UFOS In addition to the OGC’s oversight requirements listed in the Order, the 
OGC defined its BR FISA program responsibilities as: 


e (U/FOH6> Addressing all legal questions from BR FISA program 
stakeholders ; 


°¢ (U/FERS} Coordinating all interaction with DoJ NSD; 
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(bjt 


Nt- 
(b)(3)-P.L. 86:36- 


- (U/fFFO8O) Coordinating the filing of 30-day report s and renewal documents; 
e (U/FFO@¥e Leading quarterly compliance reviews with DoJ NSD; 


e (U/ÆOYƏ Performing First Amendment reviews for USP RAS approval 
(before 17 January 2014); 


° (UAFEHC) Coordinating RAS requests and submitting them to DoJ NSD for 
approval by the FISC (on and after 17 January 2014); and 


oe eee i eae FF SV,additionsof[ Jt 
(b)(3)-P.L. 86-36 the List. 


(U/FOU9) SV implements the SIGINT compliance program across NSA, 
particularly within SID, enabling the SIGINT mission to operate in compliance with 
laws, policies, and other guidance. SV provides guidance across the global SIGINT 
enterprise, manages compliance incidents, monitors compliance in high-risk areas, 
resolves problems, and verifies compliance through site visits, audits, and managing 
the SIGINT Intelligence Oversight Officer program. 


be ESPSHAN) SV performs two main oversight functions for the BR FISA program: 


-...(1) managing access by verifying training requirements semi- weekly for persons who 
have the redential and for persons included in the FISABR user 
group.in and (2) auditing all BR queries performed using query tools by 


-Mission and technical personnel to verify compliance with the requirements of the BR 


Order. SV’s process for verifying training and managing access can be found in the 


(by). L. 86-36 Access and Training section. 


“CPSHSHANF) As the BR Order requires, whenever BR metadata is accessed for 
foreign intelligence analysis or accessed using foreign intelligence analysis query 
tools, an auditable record of activity is generated. Although not required by the BR 
Order, NSA audits all query records. SV verifies that only authorized personnel with 
the required credentials queried BR metadata, selection terms used to query BR 
metadata for intelligence analysis were RAS approved at the time of the query, and 
queries for intelligence analysis remained within the authorized number of hops from 
RAS approved seeds, as the BR Order requires. For the last two checks, SV verifies 


manually that the EAR software system controls are working as intended. SV stated 
that it has never found an instance of the EARI 
allowing a non-compliant query to complete. In 2013, SV audited all BR 
query records for that year. F 

(U) Additional SV responsibilities include: fwn 


(b)(3)-P.L. 86-36 


+ (U) Ensuring that SID incident reports are entered timely into NSA’s 
corporate incident reporting database 


°- (U) Assisting in the development of oversight and compliance courses 
* -CFSHSHANE) Providing BR query statistics and [__Jeredentialing data for 


monthly metrics reports provided to SID leadership 
—FOR-SECREFISHNOFORA— 
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* (U/FECO> Maintaining the content and access to the SV BR SharePoint site 
for storing BR FISA program documentation 


* (U/fFOU65 Performing VoA for statements assigned to SV in the BR 
Declarations and 


+ SURES Anmmnving wij OOC, atom off] 
to the ERS Bene (b)(1) 


(U/FOCDOT In 2013, SV also assisted DoJ NSD in its periodic review of PREPL. po 
approved selection terms used for querying BR metadata. SV provided DoJ NSD 

with RAS justifications and supporting documentation for each review. As 

previously mentioned in the OGC Oversight section, the periodic reviews of RAS 
approved selection terms were discontinued pursuant to BR Order 14-67, 

28 March 2014. 


(U/POO) TV is responsible for identifying, assessing, tracking, and mitigating 
compliance risks, including USP privacy concerns, in NSA mission systems across 
the extended enterprise, including systems that hold BR metadata. TV manages the 
system compliance certification process, continuous compliance monitoring , and 
technical compliance incident management and conducts training and awareness for 
technical personnel. TV attends the BMD weekly meetings and performs VoAs for 
areas assigned to it in the BR Declarations . 


(U/FOCS) OIG conducts audits, special studies, inspections, investigations , and 
other reviews of programs and operations of NSA and its affiliates. OIG oversight 
includes: 


+ (U/AFOO) Performing audits and special studies of the BR FISA program; 


* (U/FOCO} Meeting with DoJ NSD at least once during each BR 
authorization period to discuss oversight responsibilities , NSA’s compliance 
with the BR Order, the status of OIG reviews, and important developments 
affecting the BR FISA program (notes from these meeting are documented in 


? 


° (U/#OO}) Receiving notification of incident reports for all NSA authorities, 
including BR FISA, saved in the Agency’s corporate incident reporting 
database; 


°- (U//FOU6} Reviewing Congressional Notifications and notices filed with the 
FISC of incidents of non-compliance with the BR Order; 


* (U/FOO) Preparing Intelligence Oversight Quarterly Reports, in 
coordination with the DIRNSA and OGC, that summarize compliance 
incidents for all authorities occurring during quarterly review periods and 
forwarding the reports to the President’s Intelligence Oversight Board through 
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the Assistant to the Secretary of Defense for Intelligence Oversight 
(ATSD(IO)) “’; 
e (U//FEU6} Performing IO reviews during OIG inspections of joint and field 
sites; 


¢ (U/FOHS} Attending weekly BMD meetings for situational awareness; 


¢ (U/FO6} Maintaining the OIG Hotline and responding to complaints of 
violations of law, rule, or regulation (the OIG also investigates allegations of 
SIGINT misuse by NSA affiliates operating under the DIRNSA SIGINT 
authority ); and 


e (UFOS) Reporting immediately to the ATSD(IO) a development or 
circumstance involving an intelligence activity or intelligence personnel that 
could impugn the reputation or integrity of the IC or otherwise call into 
question the propriety of an intelligence activity. 


(U/FE8O) The OIG reviews management controls, maintains awareness of 
compliance incidents, and stays informed of changes affecting NSA authorities, 
including BR FISA. OIG reviews of the BR FISA program allow it to independently 
assess compliance with the BR Order. Since 24 May 2006, the date the original BR 
Order was signed, the OIG has completed five BR FISA program reviews. Table 22 
summarizes OIG reviews of the program. 


(U) Table 22. OIG Reviews of the BR FISA program 


(UENO 


Assessment of Management Controls Reviewed collection, processing, analysis, 
09/05/06 | for Implementing the FISC Order: dissemination, and oversight controls. 
Telephony BR (ST-06-0018) 
NSA Controls for FISC BR Orders Reviewed querying and dissemination controls; 
(ST-10-0004) summarized pilot test results for January 
through March 2010. 
Reviewed querying and dissemination controls; 
summarized the monthly test results for 2010. 


05/12/10 


Audit of NSA Controls to Comply with 
the FISC Order Regarding BR 
(ST-10-0004L)* 

Audit of NSA Controls to Comply with Verified age-off of BR FISA metadata in 2014 to 
the FISC Order Regarding BR maintain compliance with the 60 month 
Retention (ST-11-0011) retention requirement of the BR Order. 
NSA Controls to Comply with the FISC | Reviewed collection and sampling controls for 
Order Regarding BR Collection ensuring that NSA receives only the BR FISA 
(ST-12-0003) metadata authorized by the BR Order. 


* (UFS This report summarized monthly test results of the BR querying and dissemination 
controls during 2010. 


05/25/11 


40/20/11 


08/01/12 


(UHFeHES 


"| (U/FOSOF In 2014, the ATSD(IO) was changed to the Office of the Senior DoD Intelligence Oversight Official. 
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(U) External oversight 


(U) DoJ NSD is the liaison between NSA and the FISC for the BR FISA program. 
DoJ NSD oversight includes the following : 


e (U) Coordinating 90-day renewal applications 


e (U/FOEUS6) Providing guidance to NSA OGC on all significant legal opinions 
relating to the interpretation, scope, and implementation of the BR authority 


e (U/FE865 Reviewing NSA briefings and training transcripts to ensure that 
they accurately describe the requirements of the BR Order before NSA 
incorporates material into its training program (e.g., OVSC1205, OVSC1206) 


° (U/FE8O> Meeting with NSA’s OIG at least once during each BR 
authorization period to discuss oversight responsibilities and NSA compliance 
with the BR Order. Proposed initiatives and other important developments 
affecting the BR FISA program are discussed with the OIG 


¢ (U) Meeting with NSA’s OGC, ODOC, and other NSA stakeholders at least 
once during BR authorization periods to assess compliance. DoJ NSD meets 
with OGC, ODOC, and the BR FISA Authority Lead to review the Quarterly 
Compliance Report that summarizes the results of weekly tests NSA 
performed to ensure that NSA is receiving only authorized data. DoJ NSD 
submits summaries of these meetings in writing to the FISC as part of 
applications to renew the authority. 


—tCESHSHANFY In 2013, DoJ NSD met with NSA OGC and SV at least once each BR 


(A. 
(b){3)-P.ts. 


authorization period to review a sample of the justifications for RAS approvals for 
selection terms used to query BR metadata. For RAS selection terms approved in 
2013, DoJ NSD sampled 100 percent of the USP RAS selection terms and 20 percent 
of the foreign RAS selection terms. As mentioned in the OGC Oversight section, DoJ 
NSD and OGC’s periodic reviews of RAS selection terms were discontinued pursuant 
to BR Order 14-67, dated 28 March 2014. NSA now submits selection terms to the 
FISC for RAS approval to comply with the President’s January 2014 directive. 

Table 23 summarizes DoJ NSD sampling of RAS selection terms approved in 2013. 


(U/H-O06+Table 23. DoJ NSD Sample of RAS Selection Terms 
Approved in 2013 


* (UFS Estimate calculated using DoJ NSD sampling methodology (sample 20 percent of 


foreign selection terms for review). 


t (UFS Data includes RAS selection terms that may have been approved more than once in 
2013. 
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(U/FOU05 ODNI representatives attend DoJ NSD meetings with NSA’s OGC, 
ODOC, and the BR FISA Authority Lead to review the Quarterly Compliance Report. 
Although ODNI does not have a formal role described in the BR Order, it participates 
in its general role as an overseer of IC activities . 


—tCHREE-FO-USA- 59 FISC is the approving authority for all renewals, 


amendments, reinstatements of the BR authority, and, starting in February 2014, RAS 
for selection terms NSA submitted. The FISC approves the BR Primary Orders that 
authorize NSA to acquire bulk BR FISA metadata and the BR Secondary Orders that 
compel providers to provide daily bulk BR FISA metadata to NSA for the duration of 
the Order. The FISC performs oversight by recciving filings of Rule 13(a) Notices, 
Correction of Material Facts, and Rule 13(b) Notices, Disclosure of Non-Compliance, 
by DoJ NSD on behalf of NSA. The FISC also reviews the 90-day renewal 
applications and 30-day reports that NSA files. The 30-day reports document NSA 
application of the RAS standard (no longer applies after March 2014); NSA’s 
implementation and operation of the automated query process (no longer applies after 
March 2014—NSA never implemented the process and withdrew its request to do 
so); NSA’s description of significant changes in the way in which the BR metadata is 
received from providers and significant changes to the controls NSA has in place to 
receive, store, process, and disseminate BR metadata; and the number of instances 
since the preceding report that NSA disseminated, in any form, USP information 
outside NSA. The 30-day reports also include NSA’s attestation that the CT nexus 
was completed and disseminations were approved by a designating approving 
authority before disseminating USP information derived from BR-unique metadata. 


(U) Table 24 summarizes the provisions of BR Order 13-158 for oversight and the 
controls implemented by NSA to maintain compliance. 


(U) Table 24. Oversight Provisions and Controls 


personnel with query access to BR metadata 
receive appropriate and adequate training and 
guidance regarding the procedures and 
restrictions for collection, storage, analysis, 
dissemination, and retention of the BR metadata 
and the results of queries of the BR metadata. 


NSA‘s OGC and ODOC will ensure that all NSA 

personnel who receive query results in any form 

first receive appropriate and adequate training See Table 14 - Access and Training Provisions 
and guidance regarding the procedures and and Controls. 

restrictions for the handling and dissemination of 

such information. 


NSA will maintain records of all such training. 


OGC will provide DoJ NSD copies of alf formal 
briefing and training materials (including all 
revisions) used to train NSA personnel 
concerning the authority. 


55 


DOCID: 


4273474 


-FOP-SECRETSHANOFORN 
ST-14-0002 
NSA’s ODOC will monitor implementation and SV performs 100 percent audits of queries 
use of software and other controls {including user | performed using query tools by mission and 
authentication services) and the logging of technical personnel to verify that only 
auditable information referenced above. authorized personnel who have the required 


credentials queried BR metadata, selection 
terms used to query BR metadata for 
intelligence analysis purposes were RAS 
approved atthe time of the query, and queries 
for intelligence analysis purposes remained 
within the number of authorized hops from RAS 
approved seeds. 


NSA OGC confirmed that NSA has always 
consulted with and received advance approval 
from DoJ NSD and the FISC before 
implementing significant changes to the BR 
FISA program. NSA OGC saves ali 
correspondence with DoJ NSD in an access- 
controlled network folder. 


Atleast once during the authorization period, DoJ NSD meets with OGC, ODOC, and the BR 
NSA’s OGC, ODOC, DoJ NSD, and any other Lead to review the Quarterly Compliance 
appropriate NSA representatives will meet to Report, which summarizes the results of weekly 
assess compliance with the Court’s orders. tests performed by NSA to ensure that itis 
Included in this meeting will be a review of NSA’s_ | receiving only the BR metadata authorized by 
monitoring and assessment to ensure that only the Order. DoJ NSD submits summaries of 
approved metadata is acquired. The results of these meetings in writing to the FISC as part of 
this meeting will be reduced to writing and the applications to renew the authority. 
submitted to the Court as part of any application 

to renew or reinstate the authority. 


Atleast once during the authorization period, DoJ 
NSD will meet with the NSA’s OIG to discuss 
their respective oversight responsibilities and 
assess NSA’s compliance with the Court's with the requirements of the Order_Note 
orders. these meeting are documented in CY 


At least once during the authorization period, In 2013, NSA OGC and SV met with DoJ NSD 
NSA’s OGC and DoJ NSD will review a sample of | atleast once during BR authorization periods 
the justifications for RAS approvals for selection and review a sample of the justifications for 
terms used to query the BR metadata. RAS approvals for selection terms used to 
query the BR metadata.* 


* As of 28 March 2014 (BR Order 14-67), the FISC no longer required OGC and DoJ NSD to conduct 
periodic reviews of RAS approved selection terms. The government sought this change as a result 
of the President's January 2014 directive under which NSA began submitting selection terms to the 
FISC for RAS approval. 


NSA's OGC will consult with DoJ NSD on all 
significant opinions that relate to the 
interpretation, scope, and/or implementation of 
this authority. 


(b)(3)-P. 


NSA OIG meets with DoJ NSD at least once 
during BR authorization periods to discuss‘, 
oversight responsibilities and NSA’s ig 


(U/HFetteR 


(U) BR FISA Program Incidents of Non-Compliance 


(U/FOE8O} FISC Rules of Procedure require that NSA report “corrections of material 
facts” and “disclosures of non-compliance” with FISC Orders. NSA also must 
determine whether Congressional notifications are required. Our review focused on 
the process for identifying and reporting incidents of non-compliance, the incidents 
reported in 2013 to the Court and other external overseers, and the controls NSA has 
instituted to mitigate recurrence of compliance incidents. 
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(U) FISC Rules of Procedure 


(U) The FISC Rules of Procedure, 1 November 2010, adopted pursuant to 

50 U.S.C. § 1803(g), govern FISC proceedings. Rule 13, Correction of Misstatement 
or Omission; Disclosure of Non-Compliance , is the procedure that NSA follows when 
notifying the Court, through DoJ NSD, of BR FISA misstatements and compliance 
incidents. 


(U) Rule 13(a) Correction of Material Facts Ifthe government discovers that a 
submission to the Court contained a misstatement or omission of material fact, the 
governme nt must immediately, in writing, inform the Judge to whom the submission was 
made of: 


(1) (U) the misstatement or omission; 

(2) (U) necessary corrections; 

(3) (U) the facts and circumstances relevant to the misstatement or omission; 

(4) (U) modifications the government has made or proposes to make in how it will 
implement any authority or approval granted by the Court; and 

(5) (U) how the government proposes to dispose of or treat information obtained as a 
result of the misstatement or omission. 


(U) Rule 13(b) Disclosure of Non-Compliance Ifthe government discovers that any 
authority or approval granted by the Court has been implemented in a manner that did not 
comply with the Court’s authorization or approval or with applicable law, the 
government must immediately, in writing, inform the Judge to whom the submission was 
made of: 


(1) (U) the non-compliance; 

(2) (U) the facts and circumstances relevant to the non-compliance; 

(3) (U) modifications the government has made or proposes to make in how it will 
implement any authority or approval granted by the Court; and 

(4) (U) how the government proposes to dispose of or treat information obtained as a 
result of the non-compliance . 


(U) Identifying and Reporting Incidents of Non-Compliance 


(U) Identifying incidents of non-compliance 


(U/FOBO) NSA typically discovers incidents of non-compliance with the BR Order 
during its operation of the BR FISA program. Because of the program’s sensitivity, 
suspected anomalies are reported out of an abundance of caution. Training, a pillar of 
the compliance framework, provides a heightened sense of awareness for personnel to 
identify potential violations of the BR Order. A second pillar, monitoring and 
assessment, includes manual and technical controls to detect abnormalities. A weekly 
BMD meeting, attended by BR FISA program stakeholders, provides a forum for 
addressing potential problems. 


(U/FOCO) When a possible incident is discovered, it is communicated to the BR 
FISA Authority Lead, OGC, ODOC, SV, and, if appropriate, TV and S2. BR FISA 
program stakeholders meet to discuss the facts and determine, with OGC’s 
concurrence, whether a potential violation of the Order has occurred. If OGC 
believes an incident has or may have occurred, even if all the facts have not been 
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gathered, preliminary notification to DoJ NSD is made shortly after notice to the 
DIRNSA , other NSA leadership, BR FISA program stakeholders, and OIG. Upon 
receiving initial notification from OGC, DoJ NSD starts drafting a preliminary 
notification to the Court. 


(U/AFO@O> Once the facts have been gathered and OGC has made an initial 
determination that a violation of the BR Order has occurred, OGC finalizes a 
notification of non-compliance and forwards it to DoJ NSD, which makes the final 
determination as to whether there has been an incident of non-compliance that must 
be reported to the FISC. If DoJ NSD determines that an incident has occurred, it 
prepares a draft notification to the Court, coordinates the notification with NSA, 
finalizes the draft, and files the notification with the Court. 


(U/ÆS697 DoJ NSD often filcs a preliminary notification with the Court and, if 
needed, will follow up later with additional notifications, In some cases, the 
preliminary notification of an incident serves as the final notice. More than one 
notice to the Court to address an incident is typically required when at the time of the 
preliminary notification : 


« (U/FE8C} NSA does not have all the facts the Court needs to fully 
understand or address the incident or 


°. (U/FOEHC} Remedial follow-on action may be needed. 


(U/FOY For the four incidents of non-compliance first reported to the Court in 
2013, two required additional information; therefore, final notices were filed 
separately. One of the incidents included a notice of material misstatement because 
NSA had previously filed a declaration to the Court that contained inaccurate 
information. 


(U) Congressional notifications 


(U/FOYO} In addition to the requirement to notify the FISC, DIRNSA has a 
statutory obligation to keep the Senate Select Committee on Intelligence and the 
House Permanent Select Committee on Intelligence fully and currently informed of 
all significant intelligence activities. ° NSA resolves doubts about notification in 
favor of notification. In addition to notifying Congress and the Director of National 
Intelligence (DNI), DIRNSA must notify the Undersecretary of Defense for 
Intelligence (USD(1)) and other USD(I) staff, as USD(I) guidance directs. For all BR 
FISA incidents of non-compliance reported by Congressional notifications to the 
intelligence committees, NSA also notifies the Senate and House Committees on the 
Judiciary . 


(U/HO80} NSA’s Legislative Affairs Office (LAO) manages NSA’s liaison with the 
Congress and DNI, DoD, the IC, and other U.S. government departments and 
agencies regarding matters of concern to the Congress. LAO is NSA’s focal point for 


4? (U) See 50 U.S.C. §3091, as implemented by Intelligence Community Directive 112, Congressional Notification, 
16 November 2011. 
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Congressional inquiries, correspondence, questions for the record, and RFIs directed 
to NSA. 


(U/FORO) NSA Policy 1-33, Relations with the Congress, 22 July 2005, provides 
guidelines for identifying matters that OGC and LAO must consider reporting to the 
Congressional intelligence committees under 50 U.S.C. §§3091 and 3092. The 
guidelines do not constitute a comprehensive list of what must be reported . 
Compliance incidents are assessed under a general guideline to consider for reporting 
matters that the intelligence committees have expressed a continuing interest in or 
which otherwise qualify as significant intelligence activities or failures. 


(U#FEO) NSA works to keep Congressional intelligence committees fully and 
currently informed about the Agency’s activities, more than what is required under 
the guidelines outlined in NSA/CSS Policy 1-33. 


(U/FEBO) OGC’s analysis of the incidents of non-compliance that occurred in the 
BR FISA program in 2013 resulted in three of the four incidents reported as 
Congressional notifications . 


(U) 2013 Incidents of Non-Compliance 


(U//FERS) In 2013, NSA reported four incidents of non-compliance to the Court. 
The following are NSA’s reports of the incidents and the actions NSA took to 
mitigate recurrence. 


(b)(3)-P.L. 86-36 


D ice i ide 
LESENE [L r" NSA analyst conducted a query of the BR metadata 
with a RAS approved U.S. person selection term (the U.S. person is currently subject to 
Court-authorized electronic suryeillance 
TETA e.query-yielde new identifiers believes 


(byt -To be used by the same U.S. person as the selection term: The analyst then-sent those] 
(b)(3)-P.L. 86-36°~---U.S. person identifiers, for further tasking, to an e-mail alias that included NSA 
personiel-who.had not completed thé required-BR.metadata training to receive query 
results containing U.S.-person information. The analyst also eniéred the[_}dentifi iers 
into certain analytic and tasking toöts-to-which NSA Personnel without the required BR 
metadata training have access. ~ 


LESSE The same day, the analyst’s NSA supervisor realized that the[__ | 

U.S. person identifiers had been shared, within NSA, with analysts who had not received 
the training required to receive them. The supervisor took steps to immediately detask 
the identifiers, delete them from the analytic tools, and recall the e-mail message, 
processes which had been successfully completed on or about March 22, 2013. The 
analytic and tasking tools had returned no collection or results, and a follow-up e-mail 
was sent to all addresses on the e-mail alias instructing that anyone without the required 
training should destroy all copies of the original e-mail sent to the alias. 


(U//FEUEQ} OGC determined that no Congressional notification was required for this 
incident. 
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¢PS4SH4A> Controls put in place to mitigate recurrence The BR Order requires 
that results of queries of BR metadata may be shared among NSA analysts for 
intelligence analysis before minimization, subject to the requirement that all NSA 
personnel who receive query results in any form first receive appropriate and 
adequate training and guidance regarding the procedures and restrictions for handling 
and disseminating such information. Analysts who run queries and obtain results on 
BR metadata receive annual OVSC1205 training regarding the rules and restrictions 
on sharing BR metadata query results. Before analysts share BR-derived query 
results containing USP information, they must confirm that the recipient has the 


[_|credential to receive BR metadata information. Analysts are reminded to 
mitigate recurrence, the analyst’s supervisor reiterated to the analyst the requirements 


for sharing BR metadata query results and the portions of the OVCS1205 training 
related to sharing. 


BPT Notice-of Compliance -Incident 


a NSA technical personnel discovered that NSA 
had inadvertently retained files containing call detail records that were more than five 


“years-old... Specifically, these call detail records, which had been produced pursuant to 
S ihe Cour! Pinar Orter o M A Trese call detali 


records, wer hose used in connection with a migration of call detail records to a 
r e N See Declaration, Docket Number BR 
11-57 at 13 n.8 (describing migration of records to a replacement system). The call 


detail records could be accessed or used by only technical personnel who had received 
appropriate and adequate training to access call detail records. 


NSA technical personnel destroyed the call 
detail records used in the migration of records that had been inadvertently retained past 


the retention limit of five years. As a result of the destruction, NSA is unable to provide 
an estimate regarding the volume of data destroyed. For recovery back-up purposes, 
NSA has retained those call detail records used in the migration of records that did not 
exceed the retention limit, and will use those records in accordance with the 
requirements of the Court’s Primary Orders. 


“ESHSHANB On 7 May 2013, NSA submitted a Congressional notification of the 
compliance incident to the House Permanent Select Committee on Intelligence, the 
Senate Sclect Committee on Intelligence, and the House and Senate Committees on 
the Judiciary. Copies were also provided to Congressional affairs offices at the 
ODNI, USD(1), and DoJ. On 7 May 2013, the NSA OIG notified the ATSD(IO) of 
the incident and Congressional notification. 


(6)(3)-P.L. 86- 36 -+ESASHANF) Controls put in place to mitigate recurrence In response to this 


incident, technical personnel developed a script that searches for ingest and backup 
files semen (ote containing BR metadata older than four years, 11 months. 
Before the preservation order, if such files were identified, the script would send 
automated reminders weekly for three weeks and then daily until the files had been 
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(b)3)-P-L. 86-36. 


iba) 


manually deleted.” No files matching the criteria have been identified since the 
“Script was developed. Before the preservation order, thel ]database, which 
ingests files from the servers, automatically deleted files before they 
reachied-the five-year mark. NSA maintains location restrictions for machines and 
directories that hold-BR metadata files. 


Notice of Compliance Incidents: 


 Preliminary-[_ NSA informed the 
NSD’s Office of Intelligence (OÑ that, in the course of reviewing its formal reporting to 
the.FISC,..it had identified BR metadata products containing U.S. person information that 


(b)(3)-P.L. 86-36. it had not reported in thirty-day reports to the Coiirt These disseminations[____] 
eee ESEE AT 


(b)(1) 


(b)(3)-P.L. 86- 


~ metadata product, an authorized official made the required CT determination prior to 
“dissemination. NSA and OI continue to investigate the facts and circumstances 
concerning this matter and the DoJ will provide a thorough explanation of this matter to 
the Court. 
ESSAY Final final notice of Camptiance Incidents, 
a8 filed with the Court. The notice 
indicated that the disseminations.~ in total—were not included in the thirty-day 
eports because. at the-time.the-ineidents-occurred NSA relied ona 
___ Single individual to keep reports of disseminations that occurred during each reporting 
“Rériod-and to provide information about those disseminations for inclusion in the thirty- 
day reports. Inadvértently,..the disseminations described above were not recorded and, 
as result, information about them was not included in the thirty-day reports. Currently, 
as discussed in a notice in this matter filed with the Com] NSA’s 
Information Sharing Services (ISS) office maintains records of the CT determinations for 
each disseminated BR metadata product containing U.S. person information. NSA’s ISS 
now also verifies the accuracy of statements regarding disseminations that are included 
in each thirty day report by confirming that its records reflect the number of 
disseminations described in each report. 


Along with the final notice, a supplemental report to the Court provided 
additional details and NSA’s attestation that, before dissemination, the USP 
information was determined to be related to CT information and necessary to 
understand the CT information or to assess its importance. 


-FSHSHANF) On 20 September 2013, NSA submitted a Congressional notification of 
the compliance incident to the House Permanent Select Committee on Intelligence, 
the Senate Select Committee on Intelligence, and the House and Senate Committees 
on the Judiciary. Copies were also provided to the Congressional affairs offices at 
ODNI, USD(I), and DoJ. On 12 September 2013, the NSA OIG notified the 
ATSD(IO) about the incident and pending Congressional notification. 


8 (USYS) On 21 March 2014, the U.S. District Court for the Northern District of California issued a 
preservation order against the destruction of BR metadata 
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—tFS+SH4NE) Controls put in place to mitigate recurrence In response to this 
incident{______________] NSA issued the “BR FISA Reporting Process SOP” 
.-that documents external reporting requirements and organizational responsibilities 
and defines a standardized, repeatable process for the creation, coordination, and 
ga release of mandatory FISC reports for the BR FISA program. The SOP states that, as 
{b)(3)-P-L--86-36--..part-of incident remediation, the BR program committed to refine the manual report 
B a 8s process and create a software po | to help automate accounting of BR 
~~.BISA disseminations . 


urea | NSA’s corporate dissemination tracking tool, was 
. implemented in December 2013. Before this, disseminations were tracked manually. 
^ Since then, all disseminated reports derived from BR metatada have been tracked in 


foe Notice of Material Misstatement and Ea Incident, | : Ra 


Preliminary[ LSA notified the NSD 's OL that (1) ] 


its destruction, the was stored at all limes on servers 


EP SHSENEY NSA deleted al kear detail-records | Prioro 


iGo USC. PAU accessible only to technical personnel and was not available for intelligence analysis. 
.. NSA and OI continue to investigate the facts and circumstances concerning this matter 
“and the DoJ will provide a thorough explanation of the matter to the Court upon 
completion of the investigation. 


final notice of Compliance neiden; TF= 


(bya) call detail records 
(b)(3)-P.L. 86-36 


+ESHSEANE) On 17 December 2013, NSA submitted a Congressional notification of 
the compliance incident to the House Permanent Select Committee on Intelligence, 
Senate Select Committee on Intelligence, and the House and Senate Committees on 
the Judiciary. Copies were also provided to the Congressional affairs offices at the 
ODNI and USD(). On 2 December 2013, the NSA OIG notified the ATSDUO) of 
the incident and pending Congressional notification. 


-FOP- SECRETS NCTFORN— 
62 


'(b)(3)-P.L. 8¢ 


(b)(3)-P.L., 8¢ 


DOCID: 4273474 


-FOP-SECREFSTINGFORA- 


ST-14-0002 


PSSN Controls put in place to mitigate recurrence NSA filed a “Notice of 
Material Misstatement” because in a previous declaration to the Court, NSA stated 
that it had expected to receive. sample[.---] records 


“[______] for testing and that NSA had notified the providers that it did not want 
CEL information” NSA Was norableto veril id as 


i}, an implementing control, NSA modified the way it performs the VoA on the 


ae -d&claration to the Court so that all organizations associated with the BR FISA 


+., program participate in the VoA process and review the entire document. The BR 
FISA Authority Lead-initiated quarterly meetings with stakeholders to compare the 


previous final BR Order “withthe new declaration to identify changes and ensure that 
the new declaration is reviewed for-accuracy. Since the incident, NSA has not 
received sample[__| ae meee ee 


CESHSEANFY As discussed in the Sampling section, DIAs test the 
feed daily and weekly to verify that it does not contain CSLI data. ‘The. DIAs 
identified no CSLI data since the Jfed became operationäl 


(U/FOYO) The four incidents of non-compliance were included in NSA’s first, third, 
and fourth quarters 2013, Report to the Intelligence Oversight Board on NSA 
Activities. 


(U/FOY9) For a list of the incidents of non-compliance from 2010 through 2012, see 
Appendix B. 


(U) NSA Use of the BR FISA Authority 


(U//FOHO} Although no formal process has been implemented to assess the 
effectiveness of the BR FISA authority, NSA asserts that the authority has made 
valuable contributions to the CT intelligence mission and that it plays an important 
role for NSA intelligence analysts tasked with identifying potential terrorist threats to 
the U.S. homeland and U.S. interests abroad. 


(U) Methods Used to Assess Effectiveness 


(by) 
(b)(3)-P.L. 86-36 


(U) NSA’s BR FISA program was developed to assist the U.S. government in 
detecting communications between known or suspected terrorists operating outside 
the United States and others inside the United States, as well as communications 
among operatives within the United States. The 9/11 Commission identified that 
detecting and linking such communications as a critical intelligence gap in the 
aftermath of the attacks on 11 September 2001. 


—CFSHSHANTS Based on requests from the Senate Select Committee on Intelligence to 
determine the “value of the program,” NSA and FBI personnel developed in February 
2014 the “BR FISA Bulk Metadata NSA/FBI Process for FBI Feedback” plan that 
describes NSA’s responsibility to deliver to the FBI spreadsheets with BR 
information and the FBI’s responsibility to summarize use for NSA. The plan called 
for-FBI's to categorize selection terms in the BR FISA 
report as follows: 
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e (UFOS) Not of Interest—selection term is technically flawed or the 
characteristics make it worthless for research. 


e (UFV Known to the FBI—FBI is aware of the selection term 
independently . 


e (U//FOUO} Known to the FBI with additional information—FBI is aware of 
the selection term independently, but NSA reporting provides amplifying 
information to aid FBI investigations . 

¢ (UFV) Unknown to the FBI—the FBI was not aware of the selection 
term. 


—CFSHSHA Under the plan; would send BR-unique leads to FBI field 


(a) 
(b)(3)-P:b.. 86-36 


VÆ 


(b)(3)-P.L. 86-36 ; 
S) (U/ÆOVOƏ) BR FISA program leadership recognizes that there is no process to track 


program effectiveness. They agreed on the need to track effectiveness but were 
unable to determine how to do so. Feedback is difficult to obtain. One former BR 
FISA program leader asked, “How do you assess the effectiveness of an authority 
when we don’t get feedback from the customer?” 


—~CESHSHAME) Another limitation on NSA’s ability to determine the effectiveness of 
the BR FISA program 


(DY) 
(b)(3)-P.L. 86-36 
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(U) Table 25. Selection Terms in Approved Status as of 31 December 2013 
by Target Office of Primary Interest 


SHEE 


(byt). 
(b)(3)-P.L. 86-36 


b)(3)-P.L.- 86-36 i 
3) 38.. NSA implemented the “BR 
FISA Bulk Metadata Monthly Internal Report for SID.” The report includes: 


e (U//FOBO) Program highlights, 

e (U//FƏU9) Number of disseminations, 

¢ (U//FOEbCy Number of approved RAS selection terms, 
+ (U/FOCO) Number of queries, 

°. (U/AFEGO) BMD volume, and 


+ (U/AFOGO) Number of personnel by organization and work role with program 
access, approved to disseminate USP information, and approved as HMCs. 


(U) Contributions from BR FISA Authority that Support the CT Intelligence 
Mission 


(U) 2013 highlights 


CPSHSHANFY NSA does not assert that information from the BR FISA program does, 
by itself, identify or thwart plots. Instead, information obtained through the program 
plays acomplementary role within a larger body of intelligence and CT 
investigations. It is important to note that BR metadata may sometimes be the single 
source of intelligence. However, typically, acquisition and analysis of BR metadata 
are designed to fill gaps in information gathered under other collection authorities. 
By helping close those gaps, NSA personnel report that BR data contributes to 
comprehensive efforts to identify and address threats to the homeland. The following 
are highlights from the BR FISA program in 2013. 


(b)(1) 

(b)(3)-P.L. 86-36 
(b)(3)-18 USC 798 
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(b)(3}-18 USC 798... 
(b)(3)-80.USC 3024(i) 


(U) On 21 June 2013, in response to a request from the House Permanent Sclect 
Committee on Intelligence after unauthorized public disclosures, NSA provided to 
that committee and the Senate Select Committee on Intelligence, the House and 
Senate Committees on the Judiciary, and the Defense subcommittees of the House 
and Senate Appropriations Committees a list of 54 events in which the BR FISA or 
FAA §702 authorities or both contributed to the production of SIGINT and to the IC’s 
understanding of terrorism activities. 


(U) Analyst Use of the Authority 


(U/FOU NSA senior management believe that the BR FISA program is important 
to intelligence analysts tasked with identifying potential terrorist threats to the 

U.S. homeland, primarily in support of the FBI, by enhancing their ability to detect, 
prioritize, and track terrorist operatives and their support networks in the United 
States and abroad. By querying BR metadata, intelligence analysts are said to: 


* (U/ÆOBO) Detect domestic and foreign selection terms in contact with 
domestic and foreign selection terms associated with foreign terrorist 
organizations , 


(b)(3)-P.L. 86-36 


“wra o 
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° (U/PSU Discover selection terms with which the foreign and domestic 
selection terms associated with foreign terrorist organizations are in contact, 
and 


° (U/FOBS} Detect possible terrorist-related communications between 
communicants inside the United States. 


(U) Identifying threats 


(U//FEBO) NSA has many sources of information that provide indications of 
potential terrorist activity against the United States and its interests abroad. The best 
analysis typically occurs when analysts evaluate information obtained from all those 
sources to disseminate to the FBI and the IC as complete a picture as possible of 
potential terrorist threats. Although BR metadata is not the sole source. of information 
available to NSA CT personnel, it is a component of the information that analysts rely 
on to execute threat identification and characterization. BR metadata can add to the 
IC’s and law enforcement community’s understanding and evaluation of threat 
information and the need to take investigative action. 


(U) Agility 


(U) BMD, NSA personnel assert, enables the Agency to quickly analyze 
communications and contact chains. Unless the data is aggregated, it may not be 
feasible to detect communication chains that cross communication networks and 
authorities. The ability to query accumulated metadata from multiple authorities 
significantly increases NSA’s ability to rapidly detect persons who are affiliated with 
foreign terrorist organizations and might otherwise go undetected . 


(U) Hops 


(U/FE8O) When NSA performs a contact-chaining query on a terrorist-associated 
selection term, analysts are able to detect not only the direct contacts made by that 
first tier of contacts but also the additional tiers of contacts, out to the maximum 


number of permitted hops from the seed selection term. [ SSC (3) -P.L. 86-36 


provides a more complete picture of those who associate with terrorists or are 
engaged in terrorist activities. The ability to look at a network beyond the first hop 
enables analysts to potentially identify the core of a network, focusing and 
prioritizing resources efficiently against threats. 


{U) Historical data 


—CFSHSTHANE, Another advantage that SID leadership ascribes to the BR FISA 
rogram is that the BR metadata is historical. e 
ae | tical connections are critical to understanding e 


newly identified targets, and metadata may contain links that are unique, pointing to 
potential targets of interest that may otherwise be-missed. 
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(U) Tradecraft 


(U/FOUGF Analysts report that BR metadata analysis enriches their understanding of 
the communications tradecraft of terrorist operatives who may be preparing to 
conduct attacks against the United States. 


"(b)(3)-P.L. 86-36 
(U) Complementary 


(U/FOHS The BR FISA program, SID leadership asserts, complements information 
that NSA collects by other means, increasing the value to the Agency and linking 
possible terrorist-related telephone communications between communicants based 
solely inside the United States. As a complementary tool to other intelligence 
authorities, the NSA’s access to BR metadata increases the likelihood of detecting 
terrorist cell contacts within the United States. The BR FISA program provides NSA 
the information necessary to perform call chaining that can enable analysts to obtain a 
much broader understanding of the target and, as a result, allow NSA to provide to 
the FBI and the IC a more complete picture of possible terrorist-related activity inside 
the United States. 


(U) Prioritizing ne (b)(3)-P-L. 86-36 
(U/FOERO) The BR FISA program assists with applying limited analytic and 

linguistic resources available to the CT mission have the highest 
probability of connection to terrorist targets. Analysis of BR metadata can help 

analysts prioritize communications of non-USPs that it acquires under other 

authorities because such persons are of heightened interest if they are in a 

communication network with persons in the United States. 


(U/FERO) SID leadership asserts that, without the ability to obtain and analyze BR 
metadata, NSA would lose a tool for detecting communication chains that link to 
selection terms associated with known and suspected terrorist operatives, which can 
tead.to.the identification of previously unknown persons of interest. The BR FISA 


=. program allows éfficient; 
f = r terrorist activities. Any other means that might be used 


to conduct similar analyses would require multiple, time-consuming steps that would 
frustrate rapid analysis-in.emerging situations and could fail to capture some 


: ». information available through BR.metadata. If BR metadata is not aggregated and 
> retained for a time, NSA could not seee! 


(U) Former DIRNSA General Alexander testified to the Senate Committee on the 
Judiciary in December 2013: 


(U) Measuring the value of the BR FISA authority by the number of plots exposed to date 
misses the point and presents us with a false choice. The BR FISA authority is similar to 
an insurance policy, designed to make sure that the gap exposed after 9/11 doesn’t 
happen again, with perhaps even more catastrophic consequences. As with an insurance 


—FOP-SECRETFASHINOFORN- 
68 


DOCID: 4273474 


ST-14-0002 


TOP SECRET /ST/NOFORN— 


policy on your house, you don’t determine its value by asking how many times you’ve 
collected on the policy to date—you want to have it for the possible fire, or flood, or theft 
in the future. Combined with the limitations on the program, the potential benefit in 
allowing us to uncover the hidden terrorist in the U.S. still provides a unique value 
consistent with the protection of privacy rights. 
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lll. (U) FAA §702 


(U) Background 


(U) The FAA §702 certifications 


SAN Section 702 of FAA, Procedures for Targeting Certain Persons Outside the 
United States other than United States Persons, states that the Attorney General and 
the DNI may jointly authorize, for the period of up to one year, the targeting of 
persons who are not USPs and who are reasonably believed to be located outside the 
United States to acquire foreign intelligence information. This authority is granted on 
the basis of annual certifications made by the Attorney General and the DNI to the 
FISC.{___|certifications identify categories of foreign intelligence information 

_-Sdught through this acquisition: 


ÜW- 
(b)(3)-P.L. 86-36- l 
(b){3)-50 USC 3024(i) 


SNF} The NSA targeting and minimization procedures establish the processes that 
the Agency must follow and the requirements that it must satisfy to comply with the 
. limits the statute and the Constitution impose on the use of this surveillance. The 
^ targeting procedures must be “reasonably designed” to limit acquisition under the 
: AA §702 certifications to non- USPs reasonably believed to be located outside 
the United States to acquire foreign intelligence information and to prevent 
intentional acquisition of communications in which the sender and all intended 
recipients are known at the time of acquisition to be in the United States. The 
purpose of the minimization procedures is to establish controls over the acquisition, 
retention, and dissemination of non-publicly available USP information. 


(UFO) In addition to targeting and minimization procedures, FAA §702 requires 
the Attorney General, in consultation with the DNI, to adopt guidelines to ensure 
compliance with the limitations in the Act on acquisition of communications. These 
are documented in Guidelines for the Acquisition of Foreign Intelligence Information 
Pursuant to the Foreign Intelligence Surveillance Act of 1978. Approved by the 
Attorney General in 2008, the guidelines reinforce the targeting procedures, establish 


© (U/F@U6) Acquisition is the collection by NSA or the FBI through electronic means of non-public 
communications to which they are not intended parties. 
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requirements for application of the targeting procedures, and establish requirements 
for obtaining court orders. 


(UFOS The government’s FAA §702 certifications, targeting procedures, and 
minimization procedures (but not the Attorney General Guidelines) require FISC 
approval. The FAA §702 certifications are accompanied by affidavits from the heads 
of elements of the IC, such as the DIRNSA, that describe the Agency’s basis for 
assessing that acquisition will be consistent with statutory authorization and limits. 


(U) Methodology and Scope 


(U/FO@G6) Our review of the FAA §702 control framework, incidents of non- 
compliance, and NSA’s use of the authority to support its mission, was based largely 
on FAA §702 stakeholder interviews and reviews of policies, procedures, and other 
program documentation. The OIG’s Special Study: Assessment of Management 
Controls Over FAA §702, revised and reissued 29 March 2013, was also used as a 
resource. That study examined the controls designed to ensure compliance with 
FAA §702 and the targeting and minimization procedures associated with the 2011 
certifications. Given the time constraints for the current review and the agreement 
with staff of the Senate Committee on the Judiciary, we did not verify through testing 
that all controls were operating as described by FAA §702 program stakeholders. $ 


(U/ÆOVYO) Our review focused on the processes and controls in place in 2013. Two 
documents filed annually with each FAA §702 certification delineate NSA’s 
procedures for complying with the FISA Amendments Act of 2008: 


+ (UFOS) Procedures Used by the National Security Agency for Targeting 
Non- United States Persons Reasonably Believed to be Located Outside the 
United States to Acquire Foreign Intelligence Information Pursuant to Section 
702 of the Foreign Intelligence Surveillance Act of 1978, as Amended (FAA 
$702 Targeting Procedures) and 


+ (U) Minimization Procedures Used by the National Security Agency in 
Connection with Acquisitions of Foreign Intelligence Information Pursuant to 
Section 702 of the Foreign Intelligence Surveillance Act of 1978, as Amended 
(the FAA §702 Minimization Procedures). 


(U//FOBS) For calendar year 2013, the period under review, different versions of 
these documents were in effect because of changes made at the annual certification 
renewal and special amendments to the procedures. 


+ (U) Targeting Procedures 


o SANA} Procedures approved with the 2012 renewal of the authority, 
effective 24 September 2012 through 10 September 2013. 


‘S (UOVO The NSA OIG has conducted several audits and special studies on the effectiveness of certain 
FAA §702 program controls. 
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o {SANY These procedures were not changed for the 2013 certification 
renewal and remained effective 10 September 2013 through 28 August 
2014. 


e (U) Minimization Procedures 


fe) sA] Procedures approved for the 2012 certification 
renewal, approved by the FISC 24 August 2012, were effective 24 
__ September 2012 through-23.September-2043. 


(b)(3)-P.L. 86-36 


(bya). 
(b)(3)-P.L.-86-36 
(b)(3)-50 USC 3024(i) 


o (UFOO An amended version of the 2013 minimization procedures 
approved 13 November 2013, added special procedures for assessing 
NSA’s ability fo use collection received when NSA’s___]post- 
tasking checks were not functioning properly and procedures for handling 
data collected during a period in 2013 when these checks were not 
performing as intended. 


(b)(3)-P.L. 86-36 ~~ 


(U) We also examined implementing procedures and controls for the Attorney 
General’s targeting guidelines. 


(U) FAA §702 Program Control Framework 


(U//FOBO) The FAA §702 control framework describes how NSA targets, collects, 
retains, accesses, queries, disseminates, and purges FAA §702 data and the oversight 
mechanisms to comply with FAA §702 certifications, including FISC-approved 
targeting and minimization procedures. This section summarizes the provisions of 
the targeting and minimization procedures and the controls implemented for each 
phase of the FAA §702 production cycle. 


(U) Targeting 
(U) Provisions of FAA §702 certifications 


SANE The FAA §702 targeting procedures set forth the measures that NSA uses to 
determine whether a prospective target is eligible for targeting under this authority. 
Each prospective target must meet three criteria. The individual must be a non-USP, 
reasonably believed to be located outside the United States, who possesses or is likely 


4 (U) A target is a person or entity against which intelligence operations are conducted. Foreign intelligence is 
obtained by tasking the target’s selectors (e.g., e-mail addresses) to acquire information pursuant to one of NSA’s 
authorities. 
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to communicate foreign intelligence information consistent wah one of he] 
FAA §702 certifications. ** P 


SANE The targeting procedures state -that; when NSA proposes to direct surveillance 
at a prospective target, it. does’ 80 only after it has learned something about the 
prospective target’6r the facilities the individual uses to communicate. For example, 
NSA Personnel may examine lead information, obtained from a non-NSA clement, 

- such as tips from the.CIA.or-FBI- 
(b)(1) 
(b)(3)-P.L. 86-36 
(b)(3)-50 usc deren personnel must also assess whether the prospective target possesses or 
is likely to communicate foreign intelligence information concerning a foreign power 
and whether the proposed target is appropriate under one of the 
FAA §702 certifications: 


(b)(3)-P.L. 86-36 
(U) Targeting process overview 


(U/FORO) To initiate targeting under FAA §702 authority, NSA personnel must 
research the prospective target to determine whether it meets the requirements of this 
authority and to identify selectors that will yield communications from the 
prospective target.°° Mission analysts operate within an assigned mission team (see 
the Access and Training section) and follow targeting guidance established by SID 
ialysis ‘aiid-Production -on-the-basis.of the FAA §702 Targeting Procedures to 
complete the analysis that forms the basis-for a-targeting request (TR): no 
is the vehicle for development and submission of TRs 
The TR documents information supporting the targeting decision and 
is subject to at least two levels of review before targeting: Additional reviews may be 
performed by the SID Data Acquisition (S3) office of Targeting Strategy and Mission 
Integration (TSMI) and SV. 


(U/FE8O) Mission analysts are responsible for the initial research and identification 
of potential targets within their organization’s assigned missions. Analysts must 
complete a training regimen involving general courses on legal authorities and annual 
courses on FAA §702 procedures to be eligible to submit TRs under this authority 
and access and handle FAA §702 data (see the Access and Training section). 


(U) Provisions of FAA §702 certifications—eligibility for targeting 


-SHNF Foreignness determination The targeting procedures require that NSA 
personnel examine, as appropriate under the circumstances, three categories of 
information to determine whether the intended target is a non-USP reasonably 
believed to be outside the United States (the foreignness determination). The 


48 (U) FAA does not define the term “reasonable belief,” but the Act requires that NSA adopt targeting procedures to 
ensure that FAA §702 acquisition is limited to targets reasonably believed to be outside the United States. 


(UJ) Facilities are communication vehicles used by targets, including telephone numbers and e-mail addresses. 
NSA tasks these facilities or “selectors” to obtain foreign intelligence from approved targets. 


5° U) Selectors are unique identifiers of targets (entities against which intelligence operations are conducted), such 
as telephone numbers and e-mail addresses, used for tasking {initiating SIGINT collection for the target’s selectors). 
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determination is based on the totality of information available about the prospective 


target’ 


s location and status as a USP and may be obtained from any onc ora 


combination of these sources: 


(UEY Foreign intelligence purpose for targeting In addition to the 
foreignness determination, NSA personnel must assess whether the prospective target 
possesses, is expected to receive, and/or is likely to communicate foreign intelligence 


pursuant to one of the FAA §702 certifications. 


*! Rach certification identifies 


categories of foreign intelligence (see Background at the beginning of FAA §702 
section) and specifies activities for which foreign intelligence collection is approved. 


SANB Targeting must also comply with the Attorney General’s Guidelines for the 
Acquisition of Foreign Intelligence Information Pursuant to the Foreign Intelligence 
Surveillance Act of 1978, which reiterates the five targeting activities prohibited by 
FAA §702: 


(U) Intentionally targeting a person known at the time of acquisition to be in 
the United States; 


(U) Reverse targeting, that is, targeting a non- USP outside the United States 
for the purpose of targeting a particular, known person reasonably believed to 
be in the United States; 


SANT Intentionally targeting a USP reasonably believed to be outside the 
United States; 


(U) Intentionally acquiring communications as to which the sender and all 
intended recipients are known at the time of acquisition to be in the United 
States; and 


(U) Targeting inconsistent with the Fourth Amendment to the Constitution of 
the United States. 


5! (U) Foreign intelligence information is defined in FISA as (1) information that relates to, and if concerning a USP 
is necessary to, the ability of the United States to protect against- (A) actual or potential attack or other grave hostile 
acts of a foreign power or an agent ofa foreign power; (B) sabotage, international terrorism, or the international 
proliferation of weapons of mass destruction by a foreign power or an agent of a foreign power; or (C) clandestine 
intelligence activities by an intelligence service or network ofa foreign power or by an agent ofa foreign power; or 
(2) information with respect to a foreign power or foreign territory that relates to, and if concerning a U.S. person, is 
necessary to — (A) the national defense or the security of the United States or; (B) the conduct of the foreign affairs 
of the United States. 
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(b)(3)-P.L. 86-36 


(U) Targeting control procedures 
SANS Target research —foreignness| 


(U/FOY9) Target research—foreign intelligence determination NSA mission 
analysts task targets that are aligned with the National Intelligence Priorities 


” Framework, can be linked to one of the foreign intelligence purposes specified in the 


appropiate FAA $702 certification and, generally, are within the analysts’ assigned 
mission area.’ 


(U/FOUO) Targeting request Once mission analysts complete the research for the 
_ proposed target, they must.develop.and.submit a 
identified for an eligible target. The TR documents the analyst’s determinations that 


the prospective targets meet the standards in the targeting procedures. Once the TR 
has been reviewed and approved (see Targeting Authorization), the selector identified 
in the TR is used to initiate collection. To complete a valid TR, mission analysts 
must compile specific information to demonstrate that, based on the totality of the 
circumstances determined from the research performed, there is a reasonable belief 
that the proposed target is foreign (not a USP and not within the United States) and is 
likely to produce foreign intelligence consistent with one of the FAA §702 
certifications. The TR must include: 


2 (U//POUOS Raw data is data that has not been evaluated for foreign intelligence or processed to handle USP 
identities pursuant to the minimization procedures. Metadata is dialing, routing, addressing, or signaling 
information associated with a communication but does not include information concerning the substance of the 
communication. 

* (U) The National Intelligence Priorities Framework translates national foreign intelligence objectives and 
priorities approved by the President into specific prioritization guidance for the IC. It serves as guidance for U.S. 
foreign intelligence analysis and collection. 
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ESĖ 


° (UFOO 


* (U) Sources supporting the determination of foreignness. ** 

(U/FOY Mission analysts must create permanent documentation of the 
information sources used to establish foreignness. Copies of the source information 
are saved in a restricted access SharePoint site SV maintains. This repository 
facilitates approval of the TR, as well as internal and external oversight. 


U//FOU@).Thd_|system supports targeting compliance as the mission analyst 
__arwweGteates the TR. The system requires: 
(b)(3)-P.L, 86-36 
° -SHSHREE-TFOUSA-FYEY Detailed information establishing the 
__...... £oreignness.of the.selector; 


(bj(4) 
eR UEC Roa) < (UFOO Target information, including the TAR, 

° (UFB Completion ofkey fields to document information about the 
prospective target (e.g., authorized targeting purpose, how the individual was 
determined to be outside the United States, basis for expectation that targeting 
the individual will produce foreign intelligence), and 


+ (U) Identification of the appropriate FAA §702 certification. 


oe tuned UEO} ThA [system also: 
L. 86-36 (b)(1) 
Z * (U) Identifies conflicting data within the TR, (b)(3): 


-L. 86-36 


-..° (U) Captures references to supporting documentation, 


` (U) Targeting Rationale is a brief justification for targeting a selector, intended to explain the connection between 
the proposed target and a foreign intelligence purpose. 
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(U) Provisions of FAA §702 certifications—authorization to target 


(U/FOYO Approval to task a prospective target’s selectors requires that the TR 
entry for that tasking be reviewed to verify that it contains the necessary citations to 
source information that led the analyst to reasonably believe that the individual is a 


(b)(3)-50 USC 3024(i) 
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non-USP outside the United States and is linked to the appropriate FAA §702 
certification. 


(U) Targeting authorization—c ontrols 


(U/FE8O) NSA has implemented a multi-level review process to approve all 
proposed targeting. 


(U/FOES) Releaser review Submitted TRs are first reviewed by the mission 
releaser. Normally, the releaser is in the same organization as the mission analyst. 
Releasers must complete the same training courses as mission analysts. They 
examine the TRs for completeness and compliance with the FAA §702 Targeting 
Review Guidance developed and maintained by the Mission and Compliance staff, 
part of the Directorate for Analysis and Production, within NSA’s Signals 
Intelligence Directorate. © 


(U/ÆO89) Adjudication [TT the 

final approval-of the TR, known as adjudication, is a critical control point in tasking 
~-geléctors under FAA §702 authority and is performed by personnel designated as 
mission adjudicators... Rs. were-initially..subject-to adjudication: by SV-but; 
the responsibility was moved to the 
mission groups within the SIGINT Analysis and Production organization, where 
specially trained and experienced analysts, usually from the same organization as the 
targeting analyst, perform adjudication. ° Adjudicators must complete the same 
courses as other mission personnel as a prerequisite for access to FAA §702 data (see 
the Access and Training section). They must also complete a specific course on 
adjudication and receive on-the-job training in their mission office before they are 
permitted to adjudicate independently. Adjudicators receive advice and updated 
information from the staff of the SIGINT Analysis and Production organization, SV, 
and OGC on developments affecting the application of the FAA §702 authority. The 
majority of adjudicators have two or more years experience in adjudication. 
Adjudicator performance is monitored by the Mission and Compliance staff in SID’s 
Directorate for Analysis and Production. 


EHRE FOSA FEA Adjudicators review TRs for accuracy, evaluate the 


evidence in the TR supporting the foreignness of the proposed target, examine the 
TAR statement for the individual’s foreign intelligence value, and verify that the TR 
supports eligibility for targeting under the specified FAA §702 certification. As part 
of their TR reviews, adjudicators recreate the steps taken by the mission analyst to 
independently confirm that the supporting data is accurate and that the most current 
information available is used to support a reasonable belief that the prospective target 


%8 (U/POHOS As part of the Operati he $2, th ffincludes teams who provide support and oversight 
of SID’s use of FAA §702, such as (S203A1) a 
Missi 


($203A7). 
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is foreign. Following the same procedure as mission analysts, adjudicators| 


iy e een etermine 

(b)(3)-P.L. 86-36 whether there is supporting or contrary information regarding the foreignness of the 
individual. Adjudicators must complete a series of checks manually or assisted by 
technology: 


(STREET 86:36; wwo sdf an initial foreignness determination. © 
© -PSHSTAREE-FO-CSA-FYEYS Reviewing the database of selectors 


{b)(i} os ahr hether there was information indicating that the 
(b)(3)-P.L. 86-36 individual was not forcign. 


* (U/FOHO) Accessing the SV4 SharePoint Site to determine whether there is 
information that would preclude the current tasking request from being 
approved 


E 
E a a ec ae 


(U/-POBO} If adjudicators are able to confirm thät the prospective target meets the 


“FAA §702 requirements for tasking, they approve the target’s selector for tasking{__] 
i However, if there is an error or required information 
is absent in the TR, adjudicators must ensure that corrective action is taken before 


approving the TR. 


—CFSHSHANF In most instances, if adjudicators identify updated foreignness 
information, they substitute that information in the TR to ensure that the TR is 
current. If adjudicators find an error, such as inaccurate foreignness information, 
insufficient evidence to support foreignness, or an incomplete TAR statement, 
adjudicators may deny the TR and return it to mission analysts for correction. When 
the TR is corrected, the TR goes back to the mission releaser and the mission ; 
adjudicator. As part of the approval process, adjudicators upload documentation of 


the sources ee the as decision to the SharePoint site that SV maintains. 
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(U/FOUGy The targeting review process is summarized in Figure 8. 


(U) Figure 8. FAA §702 Targeting Review Process 
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$2 FAA 702 Targeting Review (b)(3)-P.L. 86-36 
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{U) Provisions of FAA §702 certifications—approval of TRs from other 
agencies 


(U/FOUO} The FAA §702 minimization procedures set forth processes NSA uses for 
the acquisition, retention, use, and dissemination of information acquired under FAA 
§702. 


(UAFOCO} In accordance with Section 6(c) of the minimization procedures, NSA 
provides the CIA and the FBI unminimized communications acquired pursuant to 
FAA §702 for targets nominated by the respective agencies and approved for tasking 
in accordance with NSA’s targeting procedures. 

Both 
the CIA and the FBI must handle unminimized communications received from NSA 
in accordance with their FISC-approved minimization pices adopted by the 
Attorney General in consultation with the ODNI. . 


(b)(3)-P.L. 86-36 
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(U/FEUS) Controls over approval of CIA and FBI TRs 


ASAREE TOUSA FYE The CIA and the FBI submit requests for tasking selectors 
of prospective targets to NSA, which reviews the foreignness information and the 


foreignness justification for the prospective target and approves the selectors for 
tasking upon an assessment that there is a reasonable belief that the prospective target 
is a non-USP outside the United States and that collection will produce foreign 
intelligence information pursuant to one of the approved. certifications: 


(b)(3)-P.L. 86:36... 


+~SHMF Targets proposed by the CIA or FBI. that are not currently tasked by NSA are 
vetted through reviews performed by NSA personiiel 


(U//FERO) Table 26 summarizes the targeting provisions of the FAA §702 targeting 
procedures and the controls NSA has implemented to maintain compliance. 


(U) Table 26. Targeting Provisions and Controls 


(U) Foreignness - Acquisition (U/FE8E) The TR documents the support for NSA’s 
targets only non-USPs determination of the prospective target’s foreignness. 

reasonably believed to be PPSHOHREL-FO-U8A-FYETY The targeting system[___]~ 
outside the United States enforces completion of required fields (including foreignness 
information), identifies conflicting data, flags selectors ineligible for 


(b)(1)~ I 
(b)(3)-P.L. 86-36 | information supporting targeting. 
(UFOS All TRs are subject to at least two levels of review prior 
to targeting. Additional reviews may be performed by TSMI or SV. 
Reviewers examine available information to validate accuracy of 
the foreignness determination and that conflicting information has 
been resolved. 


and captures source 


& (U) An MCT is an Internet “transaction” that contains more than one discrete communication within it. If one of 
the communications within an MCT references a tasked selector and one end of the transaction is foreign, the entire 
MCT transaction will be acquired through upstream Internet collection techniques, Since this can include discrete 
communications that do not contain the tasked selector, use of such information must meet specific requirements. 
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(b)(3)-P.L. 86-36 


( 
(b)(3):P.L. 86:36 
(b)(3)-50 USC. pas 


ESN NSA will maintain 


NSA maintains these records in a database of 


This tool is used in target 
research by analysts and interfaces with to identify ineligible 
selectors proposed for targeting. The information generated is 
reviewed by the adjudicators and any conflicts should be resolved 
before the TRs are approved. 

PP (b)(3)-P.L. 86436 


{U} Foreign Intelligence Purpose | (U/AFE865 The TAR Statement documents why targeting is 

of Targeting - NSA will assess Tequested and indicates the tie to a foreign intelligence purpose 
whether the target possesses or | specific to the FAA Certification under which targeting is 

is likely to communicate foreign requested. This is subject to adjudication. 

intelligence pursuant to one of 

the approved certifications. 


(U) NSA may provide TEREF TO BATTE The CIA and FBI may nominate targets 
unminimized communications and selectors_fo! bj ti 


acquired pursuant to FAA §702 
to the CIA and FBI. 


compliant tasking. New TRs will 
be compared with these records 
before targeting. 


the unminimized data that they receive. 


(U/FOHS} The adjudication review includes examination of the 
citations supporting the foreignness determination maintained in 
the SV SharePoint site. 


(UAFO8@) Tasking requests 
must be supported by citations to 
the information that led to the 
analyst’s reasonable belief of the 
foreignness of the target. 
Approval of the TR will include 
review of the citation. 


SSH 


(U) Provisions of FAA §702 Certifications and other Guidance—Post- 
Targeting Review 


(SNF) In accordance with the targeting procedures set forth in each FAA §702 
certification, NSA analysts are required to conduct post-targeting reviews of all 
selectors tasked under FAA §702 authority. The targeting procedures state that “Such 
analysis is designed to detect those occasions when a person who when targeted, was 
reasonably believed to be located outside the United States has since entered the 
United States, and will enable NSA to take steps to prevent the intentional acquisition 
of any communication as to which the sender and all intended recipients are known at 
the time of acquisition to be located in the United States, or the intentional targeting 
of a person who is inside the United States.” 
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(U) Post-targeting 


{SNF NSA has implemented four procedures to ensure that targeted persons 
continue to meet the criteria specified in the FAA §702 targeting procedures. 


Post-targeting controls—obligation to review NSA has 
implemented a process called Obligation to Review (OtR) that has two provisions. 
The first requires that, upon tasking a selector, the mission team that initiated tasking 
must review collection from that tasking within 5 business days of the receipt of the 
initial piece of traffic from FAA §702 collection. An e-mail notification is sent to 
mission team members notifying them of the receipt and the 5 day review 
requirement. The mission analyst must review a sample of the content of the 

-collection to determine that: 


. (Ü The selector is being used by the intended target, 


* (U) The target is valid under the requested FAA §702 certification, and 


L 


(U/FO66) Ifthe reviewing analyst determines that all three requirements have been 
satisfied, thus making the tasking valid under FAA §702 authority, no further action 
is required. If any of the three requirements is not satisfied, the selector must be 
immediately detasked-in hel leyen (removed from collection). The selector 
cannot be resubmitted for tasking until all requirements have been satisfied. 
(Detasking is discussed further in Monitoring Collection section.) 

(b)(3)-P.L. 86-36 

(U/AFECO} The second provision of the OtR process requires the mission’.office to 
conduct an ongoing review of at least a sample of the content from ongoing ‘collection 
to ensure that the target continues to meet the criteria for targeting under FAA §702. 
After the initial review has been completed, a sample of collection is reviewed 


(b\(1) 
—FOP-SECREPSENOFORN (b)(3)-P.L. 86-36 
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(U/FOU6) Post-targeting controls—monitoring collection Mission analysts 
must monitor collection for indications that the target no longcr mects the foreignness 
requirements, is not associated with the tasked selector, or is not linked to a valid 
foreign intelligence purpose tied to an FAA §702 certification. If it is determined 
that the target or the selector is no longer appropriate for tasking under this authority, 
NSA will have to take actions that might include detasking the selector, reporting a 
compliance incident, recalling intelligence reports, and purging collected 
communications. 


(UFOt If collection indicates[______ user of a tasked selector is an 
individwal who is not the intended target and is not of foreign intelligence valuc or is 
or.may. be a USP or is in the United States, the mission office must immediately 
remove from collection “all selectors] l i ana identify 
collection ineligible for retention. Additional research may be performed before 
detasking, if there is evidence that the information on the user’s USP status or 
location is not correct. Unless there is a strong reason to doubt this information from 
collection, it is presumed valid and detasking should occur immediately. If review of 
collection identifies communications in which the sender and all intended recipients 
are determined to have been within the United States at the time of collection 
(domestic communications), those communications must be destroyed with limited 
exceptions. * 


(U) If analysis of the collection finds that the selector is no longer used by the target, 
the selector must be removed from tasking. © 


(U/ÆOBO) Attorney -client privileged communications are subject to special 
procedures designed to prevent privileged information from being used in 
prosecution. Should review of collection identify communications between persons 
known to be under criminal indictment in the United States and their attorneys, 
review of the communication must be discontinued and OGC notified for guidance on 
handling the communication. © 


© (U/OWO} If the domestic communication collected is not related to an incident (see Incident Reporting), 
DIRNSA may approve a destruction waiver to allow retention of the collection. 


* UEH Monitoring communications between a person known to be under criminal indictment in the ited 
States and an attorney representing that individual i in the matter under indictment must cease once the relationship 


to protect such communications from review or use in criminal prosecutions. 


85 (b1) 
(b)(3)-P.L. 86-36 
(b)(3)-50 USC 3024(i) 


DOCID: 4273474 


—FOP-SECREFASTHNGFORN- 
ST-14-0002 


(U/FOERS) If authorized collection incidentally acquires a foreign communication of 
or concerning a USP (c.g., an FAA §702 target is communicating with a USP or 
about a USP), the communication may in general only be retained if the USP 
information qualifies as forcign intclligence or the information is evidence ofa crime 
and is provided to appropriate federal law enforcement authorities. Domestic 
communications, including communications of a target who has entered the United 
States, must in general, be destroyed upon recognition, unless DIRNSA or the Acting 
DIRNSA approves retention of the communication for one of the limited reasons 
listed in Section 5 of NSA’s FAA §702 minimization procedures. (b)(3)-P.L. 86-36 
(U/FOEBS) For intelligence collected from upstream Internet collection[___]subject 
to MCTs, NSA mission analysts must identify and carefully review collection 
containing MCTs made available for analytic review. While NSA automatically 
segregates certain MCTs and does not pass them to repositories accessible to analysts, 
there may still be information in some MCTs that is not eligible for retention. Ifa 
discrete communication within an MCT is not to, from, or about a tasked selector but 
otherwise contains foreign intelligence information and the discrete communication is 
not to or from an identifiable USP or a person reasonably believed to be in the United 
States, the MCT may be retained to the same degree that a discrete communication 
could be retained. If any portion of the MCT contains a domestic communication, the 
entire MCT must be purged, unless there is no underlying compliance incident and 
DIRNSA approves a destruction waiver. 


(U) For selectors removed from tasking, all communications collected after the target 
no longer meets the requirements of FAA §702 must be identified for purging 
through incident reporting and the purge adjudication process (see the Purge section). 


+FSHSHANF) Post-targeting controls—detection of targets that may have 
entered the. United see o] 


(b)(3)-P:L. 86-36 


(b){3)-50 USC 3024(i) 


l In addition to analyst review of 
selector-communiecations;-NSA-has e 
ca for indications that the user of a tasked selector has entered the Unite 


Statés: 


“immediately detasks the roaming selector, and sends amessagé to mission 


analysts notifying them that the selector has been detasked. It is the analysts’ 
responsibility to identify and detask additional selectors for the target and develop the 
information.necessary to produce an incident report. Though NSA may not have had 
prior notice of the target’s intention to travel, FAA §702 may not be used to target 
individuals in the United States (see the Incident Reporting section). 
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(b)(1) 
(b)(3)-P.L. 86-36 
(U//FOUO} Post-targeting controls—periodic selector review As discussed 
earlier, NSA is required to regularly confirm that all selectors tasked under FAA_§702 
continue to meet tar gcting requirements. In addition to these ongoing reviews, 
defaults all FAA §702 targeting to a one year review. To maintain acquisition, for the 
target, mission analysts must confirm that continued tasking of the selector is; 
expected to acquire foreign intelligence relevant to the FAA §702 certification under 
which the targeting was executed. (b)(3)-P.L. 86-36 


(U/#OHO) Table 27 summarizes the post-targeting provisions of the FAA §702 
targeting procedures and the controls implemented by NSA to maintain compliance. 


(U) Table 27. Post-Targeting Provisions and Controls 


(U) Analysts are required to monitor collection to determine 
whether the target continues to meet targeting criteria, including 
foreignness. 

(U) Analysts receive “obligation to review” notices upon first 
receipt of collection for newly tasked Internet selectors and every 
thirty days commencing with the date of first collection after the 
last review. The notice is repeated until collection has been 
reviewed. 

(U) Annual reviews confirm that a target remains eligible for 
targeting and continues to be expected to produce foreign 
intelligence relevant to the FAA §702 certification under which it 
was approved. 


(URSS Post-targeting 
analysis is performed to detect 
when a person, reasonably 
believed to be outside the 
United States when targeted, 
has since entered the United 
States. This will allow NSA to 
take steps designed to prevent 
acquisition of domestic 
communications or the 
targeting of a USP. 


NSA will routinely compare 
tasked selectors with 
information collected from 
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-+SHSHINE) NSA will routinely 


compare selectors tasked 


NSA will 

forindications thata- 
foreign target has entered or 
intends to enter the United 
States. 


(U) If NSA determines that a 
target has entered the United 
States, it will take the 
necessary steps to assess 
whether the incident represents 
non-compliance with the 
targeting procedures and report 
such occurrences to DoJ and 
ODNI and purge related 
communications from NSA 
databases as required. 


(U) If NSA determines that a 
target who at the time of 
targeting, was believed to be a 
non-USP is in fact a USP, it will 
terminate collection without 


delay and report the incident to 
DoJ and ODN! and purge such 
collection from its databases. 


(UFV) As soon as it 
becomes apparent that a 
communication is between a 
person who is known to be 
under criminal indictment in the 
United States and an attorney 
who represents that individual 
in the matter under indictment, 
monitoring of that 
communication will cease and 
the communication will be 
identified as an attorney-client 
communication in a log 
maintained for that purpose. 


ST-14-0002 


ASHREEFO-USA- FYE See Table 26 — second control. 


~(¥)-Automated.notices.are.sent to. mission teams upon first receipt 
of collection’ for newly tasked Internet selectors and every thirty 
days commencing with the date of first collection after the last 
review. The notice is repeated unti collection has been reviewed. 


(U) See the incident Recognition and Reporting section. 

(U) If NSA determines that a target has entered the United States 
and the target's selectors were not detasked before entry, it is 
reported to DoJ and ODNI as an incident. DoJ assesses which 
incidents represent non-compliance with the targeting procedures 
and reports such occurrences to the FISC. NSA purges related 
communications from NSA databases as required. In some 
cases, DIRNSA may grant a destruction waiver so NSA can retain 
collection that is otherwise subject to purge. 


(U) See the Incident Recognition and Reporting section. 


(U/FOHS} Annual FAA training requires that such 
communications be brought immediately to OGC’s attention for 
communications, “a 
process used to quarantine these communications is a sufficient 
process for documenting the information. 


{U) Incident Recognition and Reporting 
(U) Provisions of FAA §702 certifications— incident reporting 


(U/FOCCF The targeting procedures state that NSA will conduct ongoing oversight 
and report incidents of non-compliance to the NSA OIG and OGC and ensure that 
corrective actions are taken to address deficiencies. Reporting is required for 
incidents of non-compliance “that result in the intentional targeting of a person 
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reasonably believed to be located in the United States, the intentional targeting of a 
USP, or the intentional acquisition of any communication in which the sender and all 
intended recipients are known at the time of acquisition to be located within the 
United States.” NSA must report these incidents within five business days of learning 
about them. The Agency must purge from its databases information acquired by 
intentio nally targeting a USP or a person not reasonably believed to be outside the 
United States at the time of targeting. Ifpost-targeting analysis shows that the target 
is inside the United States or a USP, acquisition must be terminated without delay. 
Inadvertent acquisition of domestic communications is addressed in the minimization 
procedures see the Purge section). NSA also reports incidents of non-compliance 
with the FAA §702 minimization procedures. Some examples include incomplete 
minimization of USP information, improper queries of raw data, and technical errors 
that affect systems controls over the data, such as retention beyond the required 
destruction date. 


{U} Incident reporting controls 


(U/FOUO} Training and management communications emphasize the fact that 
incidents can occur at any point in the collection, targeting, dissemination, access, and 
retention of SIGINT communications and stress the importance of immediate 
reporting of instances of non-compliance. Individuals do not have to prove that the 
activity is noncompliant to report an incident. SV works with the mission team that 
reports the matter to develop an incident report with complete and accurate 
information. If the incident involves a system or a system’s performance, TV 
involves all appropriate subject matter experts (including SID, SV, TD, and OGC) to 
assess the situation and evaluate its effect on compliance under the authority. OGC 
informs DoJ and ODNI of incidents that may indicate non-compliance with 

FAA §702. DoJ, in coordination with ODNI, makes the final determination whether 
an incident is reportable to the FISC. 


(UFOS The OIG receives internal incident reports from SV and TV. Notices of 
non-compliance (13b notices) that DoJ files with the FISC are made available to the 
OIG. The OIG uses this information to develop the Intelligence Oversight Quarterly 
Report, which is prepared with OGC and sent to the President’s Intelligence 
Oversight Board through DoD. The incidents and notices of non-compliance are also 
used as input to OIG inspections and intelligence oversight reviews. 


(U//FOUO} The annual FAA §702 training required of all individuals handling 
information obtained under this authority addresses incident recognition, reporting, 
and processing. It defines two types of reportable events: incidents of non- 
compliance and changes in the target’s status. 


(U/FOCO) Reportable compliance incident An FAA §702 compliance incident 
occurs when NSA violates FAA §702 statutory requirements or targeting and 
minimization procedures or has made materially inaccurate representations to the 
FISC or has otherwise not performed in a manner consistent with previous 
representations to the FISC. For example, if NSA tasked a foreign intelligence target 
reasonably believed to be outside the United States at the time of tasking and later 
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learned that the target planned to travel to the United States but did not detask the 
selector before the target’s entry into the United States, this would be reported as a 
compliance incident. 


(U/#O86) Reportable compliance incidents may also result from actions taken by 
communication service providers. For example, provider error could cause 
distribution to NSA of communications for selectors not tasked under FAA §702. 


(U/FEBO) Change in target status After tasking selectors associated with a target 
that meets all requirements of the targeting procedures, NSA may identify 
information about the target that was not available when the targeting decision was 
made. This information may show that the target is a USP or is located in the United 
States, making the target ineligible for targeting. These changes in target status, 
though not incidents of non-compliance, must be reported. 


(U/AFOEBO} Incident reporting and documentation SV has a significant role in 
reporting incidents of non-compliance with FAA §702. SV developed an operating 
procedure that addresses the multiple means of incident discovery and the actions SV 
personnel follow for each. There are three primary sources from which SV may 
identify incidents: 


SS ""(b)(3)-P.L. 86-36 
e (U/FE8O} Detask notifications —produced byL__ when mission personnel 
remove selectors from collection. A detargeting reason is associated with 
each notification, some of which may indicate.afi incident, e.g., the user of the 
tasked selector has been identified as a USP, 


- (UFS CS Ojire that appear to have roamed into the 


United States, and 


* (U/PO8O}y Communications of incidents reported by analysts, query 
reviewers, and others involved in processing or monitoring collection. This 
may include errors by communication service providers. 


SSYSTRREE-FO-GSAC FEN For each incident, SV works with personnel familiar 


with the occurrence to create a permanent record including significant detail_about the 
incident and its resolution, for example, the selector, the intended target; 
method of incident discovery, detasking information, and 
üü ($ dates of collection to be purged. SV creates an entry in the database of selectors 
(b)(3)-P:L;-86-36 associated with targets that have roamed into the United States or have been 


(b)(3)-50 USC'3024(i) identified as USPs to identify selectors associated with targets identified as meeting 
“certain criteria. [ generates a notice to analysts 
entéeting.TRs. This entry is required when incidents identify atarget located in the 

United ae ree NN or a target identified as a USP. 


(b)(3)-P.L. 86-36 
(U/FOBO) TV is responsible for overseeing the reporting and mitigation of incidents 
that affect TD personnel and systems. For each incident, information regarding the 
incident’s root cause and mitigation is gathered and documented. There are four 
primary ways in which incidents in TD are discovered: 
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e (U/S) Technical personnel or analysts find data that is not protected, 
labeled, or transferred as expected, 


°. (U/FEYS) Audits of queries submitted by TD personnel are reported when 
they do not comply with the minimization procedures, 


* (U/FOU6) Upon analysis of a system for TV certification, instances of 
potential non-compliance are reported, and 


e (U/AF680) Technical personnel self report incidents. 


(U//FE8O) SV and TV provide the incident reports to OGC to assess whether the 
incident is a matter of non-compliance with the FAA §702 certifications and targeting 
and minimization procedures and is reportable to NSA’s overseers (see the Oversight 
section). 


(U//FOCO) Incident remediation Several types of activities may be necessary to 
resolve compliance incidents or changes in status, for example, detasking selectors, 
purging communications ineligible for retention, recalling disseminated reports based 
upon communications subject to purge, correcting system errors, and training. The 
actions taken are documented in the incident report and, if appropriate, the notice of 
non-compliance filed with the FISC. Depending on the magnitude of an incident of 
non-compliance (e.g., a system error affecting the functioning of targeting controls), 
the FISC may require supplemental reports on progress in correcting the matter. SV 
and OGC coordinate such reports with DoJ and ODNI. 


(U//FOGO) Table 28 summarizes the incident reporting provisions of the FAA §702 
targeting procedures and the controls implemented by NSA to maintain compliance. 
The provisions are documented in the oversight and compliance requirements in the 
targeting procedures. 


(U) Table 28. Incident Reporting Provisions and Controls 
(Uone 


(U) NSA wili conduct ongoing oversight 
activities and will make necessary 
reports, including those relating to 
incidents of non-compliance, to the 
NSA OIG and OGC. 


(U) NSA will ensure that necessary 


corrective actions are taken to address 
identified deficiencies. 


(U/FOEstOy NSA will report to DoJ NSD 
and ODNI incidents of non-compliance 
{including over collection) by electronic 
communications service providers 
within five business days after 
determining non-compliance. 


(U) FAA §702 training addresses incident identification, 
documentation, and the process for self-reporting. 
(UAF) SV and TV document the incident with 
assistance of the individuals who identified the matter and 
provide the information to OGC for review. OGC, in tum, 
forwards the incident to DoJ and ODNI. 


(U) The incident report documents measures taken to 
remediate the incident (e.g., detasking and purge of 
communications). 


(UFS) SV, TV, and OGC manage the incident 
teporting process to assure that initial reporting is 
performed within five business days of the identification of 
non-compliance. 


(UFOS 
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(U) NSA’s FAA §702 minimization procedures require that collection of information 
by targeting non-USPs reasonably believed to be outside the United States be 
conducted in a manner designed, to the greatest extent feasible, to minimize the 
acquisition of information not relevant for the purpose under which the collection was 
authorized. Steps to assure that acquisition meets this requirement start with target 
research and approval and the determination that the proposed target meets the 
criteria for eligibility under FAA §702. NSA has incorporated additional measures in 
its collection process to comply with this limitation. 


(U) Collection mechanisms for FAA §702 communications 


(U) NSA has two collection mechanisms for FAA soL OO] ~(b)(3)-P.L. 86-36 
communications are obtained by the FBI through compelled collection from ISPs and 
include only communications to which a tasked selector is a party. For upstream 
Internet collection and telephony collection, the communication service providers 
who control the telecommunications infrastructure over which the communications 
travel are legally compelled to make available to NSA communications related to 
tasked selectors. Upstream collection of Internet-based selectors may include 
communications to or from the tasked selector, as well as communications in which 
the selector is referenced within an Internet transaction. The latter is called “abouts” 
collection because the communication is neither to nor from the tasked selector, but 
“about” the selector, i.e. the selector is contained within the communication. 
Communications acquired from telephony selectors are only to or from the tasked 
telephone number (i.e., “abouts” collection is not a factor). 


(U) Provisions of FAA §702 certifications—filters 
ANEH NSA’s FAA §702 targ 


'(b)(3)-P.L. 86-36 


eting procedures state that, 


NSA will|___[empioy“an Internet Protocol filter to ensure that the person front 


whom it seeks to obtain foreign intelligence information is located in a foreign 
country, É 


(U) Collection controls for telephony and upstream Internet communications— 
communications not to or from the target 


(byt). 
(b)(3)-P.L86-36 
(b)(3)-50 USC 3024{i). 
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The providers should deliver only communications meeting these criteria to NSA. 


iwa. (U) Provisions of FAA §702 certifications—analysis of selector targeting status 


(6)(3)-P.0-86-36  {SHRE-FOHSA-FYEY NSA’s FAA §702 targeting procedures set forth criteria 
(oX(3)-50. U USE agus initiating collection ona target. Once a target’s selector has been placed on 
$ g .. collectién;-the Agency continucs to evaluate collection and use other tools to identify 

7 ‘changes in the status. or location of the target (e.g., change in USP status, such as 

>. information that the individual has been granted permanent resident status in the 
‘United States.or information that the-target is entering the United States). If these 
changes occur orit is determined that the target is no longer producing foreign 
intelligence, the selector is removed from collection:-Changes in targeting status may 


{U) Collection controls—verification that collection is for currently tasked 
targets 


(SHNFY For cach source of collection, NSA employs processes to determine whether _ 


“(b)(1) 
are’senidifig communications only for selectors currently tasked and (b){3)-P.L. 86-36 


authorized for collection. 


(U//FEES) Collection for telephony selectors 


(b)(3)-P.L. 86-36 


-(FSASHANE) Upstream collection for Internet-based selectors 
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(b)(3)-P.L. 86-36 
{b)(3)-50 USC 3024(i) 
-CFSHSPANFY A situation known-as can result in the 


unintended acquisition of non-target communications 
LE a NSA implemented a vericaton 


A ~prScess to address this situation that is another check performed before upstream 
(byay <- _ Internet communications are forwarded to analyst-accessible repositories for 
(b)(3)-P.L.. 86-36 processing: 

(b)(3)-60 USC 3024(i) 


(byt) 
(b)(3)-P.L> 86-36 


(U) Provisions of FAA §702 certifications—upstream Internet transactions 


(U) Background Upstream Internet collection includes acquisition of two types of 
communications not present in downstream collection: “abouts” communications and 
“multiple communications transactions” (MCTs). “Abouts” communications are 
those that are not to or from the target selector but whose contents include the 
selector. For example, ifa target’s e-mail address is within the body of the Internet 
communication between other individuals, the communication is “about” the selector. 
An MCT is an Internet “transaction” that contains more than one discrete 
communication. If one of those discrete communications is to, from or about a tasked 
selector and if the active end of the transaction is foreign, the entire MCT transaction 
will be acquired through upstream Internet collection. This can include other discrete 
communications that do not contain the tasked selector. If the targeted selector is not 
the active user in the transaction, the MCT can include other discrete communications 
that do not contain the tasked selector. 


(U) Provisions NSA’s FAA §702 minimization procedures require NSA to: 
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take reasonable steps post-acquisition to identify and segregate through technical 
means Internet transactions that cannot be reasonably identified as containing 
single, discrete communications where: the active user of the transaction (i.e., the 
electronic communications account/address/identifier used to send or receive the 
Internet transaction to or from a service provider) is reasonably believed to be 
located in the United States; or the location of the active user is unknown. 


(U/FOY Internet transactions that cannot be identified as meeting the above 
definition must be segregated and retained in an access-controlled repository from 
which transactions may not be moved, except for processing to render them 
intelligible, unless they are determined not to contain discrete communications for 
which the sender and all intended recipients are reasonably believed to be in the 
United States. Any such transactions moved to data repositories accessible by 
analysts are required to be identified as having been previously segregated. f NSA’s 
FAA §702 minimization procedures also specify that Internet transactions acquired 
through NSA's upstream Internet collection techniques on or before 31 October 2011 
be destroyed upon recognition. 


(U) Upstream Internet collection controls—multiple communication 
transactions 


—CPSHSHANFY Effective January 2012, NSA implemented a process for analyzing and 
processing upstream Internet collection to ensure that only MCTs devoid of wholly 
domestic communications will be forwarded for further analysis. This process 
applied to all upstream data that had been sequestered starting 1 November 2011.” 
Three criteria are used to sort these communications and determine whether they 
would be withheld from use by analysts (sequestered in a collection store) or sent to 

data stores accessible by analysts: the type of communication (discrete or MCT), the 

active user of the selector, and the location of the active user. The minimization 
procedures require that sequestered communications be accessible only to speciall 
trained personnel to determine whether they may be authorized. for-use- 


NSA reported to the FISC, all FAA §702 upstream Internet transactions acquired 
(b)(3)-P.L. 86-36 before November 2011, whether or not they were MCTs, were deleted. Additional 
(b)(3)-50 USC 3024(i) controls are required when MCTs available to analysts are used, for example, to 


support reporting of forcign intelligence (see the Sharing and Dissemination section). 


 REPSHCHINEY Though the minimization procedures permit NSA to pass previously segregated communication to 


fepositories accessible.to analysts, NSA has not done so. 
ree es 


the only FAA §702 data forwarded to 


analyst “accessible repositories was data] or where the target was the active 


user. The remainder was sequestered pending development of decision logic lo assess MCTs. The data was also 
excluded from 
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(U) Table 29 summarizes the collection provisions of the FAA §702 minimization 
procedures and the controls implemented by NSA to maintain compliance. 


(U) Table 29. Collection Provisions and Controls 


EF paves 


{U) Acquisition of information 
by targeting non-USPs 
reasonably believed to be 
outside the United States will 
be conducted in a manner 
designed, to the greatest extent 
feasible, to minimize the 
acquisition of information not 
relevant to the purpose for 
which it was authorized, 


(U/FOS) Targeting controls (see Table 26) are the first 
measures employed to limit collection to communications of 
targets that meet the requirements of the targeting procedures. 
The foreignness requirements and the post-targeting analysis of 
communications serve to minimize collection of communications 
not authorized for acquisition (e.g., domestic communications), 


\(3)-P.L. 86-36 


iwa 
(b)(3)-P.L: 86-36 
(b)(3)-50 USC 3024(i) 


ı Acquisition of 
communications not to or from 
the target will employ an 

Internet protoco 


is foreign. Only transactions meeting this criterion should be 
delivered to NSA. 


(b)(1) 
(b)(3)-P.L. 86-36 


(U) NSA will take reasonable 
steps post-acquisition to 
identify and segregate through 
technical means Internet 
transactions that cannot be 
reasonably identified as 
containing single, discrete 
communications where the 
active user of the transaction is 
reasonably believed to be 
located in the United States or 
the location of the active user is 
unknown. 


(UFS) NSA has implemented procedures to analyze 
upstream Internet collection. Only discrete transactions ar 
MCTs meeting certain criteria are made accessible to andlysts. 


‘(b)(3)-P.L. 86-36 


(U) Repositories 
(U) Provisions of FAA §702 certifications— repositories 


(U/FOEUOY NSA’s FAA §702 targeting procedures require that NSA establish 
processes for ensuring that raw traffic is labeled and stored only in authorized 
repositories and is accessible only to those who have had proper training (see the 
Access and Training section). 
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(U) Control framework for access to FAA §702 repositories 


(U//FE8@¥y Several control procedures are employed to ensure that FAA §702 data is 
stored in repositories that meet standards for security and compliance and that access 
to the data is properly controlled. From the time of collection, data is processed 


through interim systems before it reaches ay source systems for 
FAA §702 reporting.” The remainder of this section describes four nee of controls, 


focusing on their application to th 


b)(3)-P.L. 86-36 
e (U//FOHS} System security accreditation, (O18) 


© (U/AFOBO) System certification, 

e =(U//FOUS) Data flow management, and 

e. (U/FOHS} Data tagging. 
(U//FEUG} Approval for NSA systems to store and process FAA §702 data 
(U/FOGO) Accreditation TS is responsible for managing the risk on all NSA 


networks and the computer systems and devices connected to those networks. TS’s 
responsibilities include: 


¢ (U/FOUO}-Guiding, prioritizing, and overseeing the development of 
information assurance programs necessary to ensure protection of information 
systems and networks by managing the NSA Information Sccurity Program, 


+ (U/FOEUS) Serving as the Director NSA Authorizing Official to accredit all 
NSA information systems, 


+ (U//EQOBO) Conducting information systems security and accreditation and 
risk management programs, and 


+ (U/FORO) Establishing, maintaining, and enforcing NSA information 
systems security policies and implementation guidelines. 


(U) Accreditation is the official management decision to permit operation of 
information systems in specific environments at acceptable levels of risk, based on 
the implementation of an approved set of technical, managerial, and procedural 
safeguards. 


(U/FEGOy-When accrediting systems, TS uses the National Institute of Standards 
and Technology (NIST) Risk Management Framework to determine the appropriate 
level of risk mitigation to protect systems, information, and infrastructure. NIST 
Special Publication 800-37, Guide for Applying the Risk Management Framework to 
Federal Information Systems , February 2010, describes the six steps in the 
framework. 
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e (U/FEO) Categorize the information system and the information processed, 
stored, and transmitted by that system based on an impact analysis (risk 
assessment), 


=- (U/AFOPO) Select an initial set of baseline security controls for the 
information system based on the sccurity categorization; tailoring and 
supplementing the security control baseline as needed based on an 
organizational assessment of risk and local conditions, 


e (U/OGO} Implement the security controls and describe how the controls are 
employed within the information system and its environment of operation 
(system developers), 


e (U//FOG0) Assess the security controls using appropriate assessment 
procedures to determine the extent to which the controls are implemented 
correctly, operating as intended , and producing the desired outcome with 
respect to meeting the security requirements for the system (independent 
testing by TS), 


e (U/FOV Authorize information system operation based on a determination 
of the risk to organizational operations and assets, individuals, other 
organizations, and the nation resulting from the operation of the information 
system and the decision that this risk is acceptable, and 


+ (U/FOYƏ Monitor the security controls in the information system on an 
ongoing basis including assessing control effectiveness, documenting changes 
to the system or its environment of operation, conducting security impact 
analyses of the associated changes, and reporting the security state of the 
system to designated organizational officials. 


(U/FOELO) Before a system is authorized to be put on a network, it must go through 

the accreditation process and be approved by TS. Once implemented, systems are (b){3)-P. L. 86-36 
subject to reaccreditation every three years or when significant changes occur that 

may affect the risk assessment. The dates through which the FAA §702 repositories 

are accredited are listed in Table 30. / 


(U/FE¥O) Table 30. Accreditation Status of nsal F 


(BH. 
(b)(3)-P.L. 86-36 
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(U/FOCS} Certification In addition to system accreditation, all systems containing 
FISA data must be certified by TV4, the NSA authority for certifying automated 
systems to ensure they are compliant with the legal and policy regulations protectin: 
USP privacy. DoJ and the FISC are notified when NSA designates | R 


(U/FOUO} In 2010, NSA began certifying FISA systems as part of an effort to 
ensure that they comply with the legal and.poli¢y regulations protecting USP privacy. 
This included the repositories that-céntain FAA §702 metadata. Personnel from 
various organizations..within SID and TD performed the initial certifications. TV 
subsequently- assumed responsibility for system certification and developed the NSA 
corporate database for registering NSA systems, their compliance certification, and 
7 data flows. It is NSA’s authoritative source for all compliance certifications. 
(b)(3)-P.L. 86-36 (U//FOEBO) The Agency’s certification process currently evaluates system controls 
for compliance with purge, data retention and age-off, data access, querying, 
dissemination, data tagging, targeting, and analytical processes. These mission 
functional areas are defined by the Comprehensive Mission Compliance Program 
ODOC administers. Through this program, compliance certification requirements are 
developed to address required compliance controls. The compliance requirements, 
administered by the TV2 requirements team, form the basis for the criteria against 
which systems are certified for compliance. 


(U/FOBO) To be certified to handle FISA data, systems must reccive TV 
certification through the Compliance Certification process. The TV4 certification 
dates for the Phe contain FAA §702 data and which can be used as sources 
to support dissemination are listed in Table 31. 


(UIFOYE) Table 31. Compliance Certification Status of NSA[___| (®(3}-P.L. 86-36 
APSHRELFOUSA PVE 


(BY) mm 
(b)(3)-P.L. 86-36 


(U//FERO}y TV provided new compliance certification guidance in May 2014. ` 
Systems other than those being decommissioned within twelve months, which meet ™.. 
the following criteria, should be recertified by TV: (b)(3)-P.L. 86-36 


¢ (U//FEU6) Systems with two significant system-related incidents in a twelve 
month period or three total, 


° (U/FOUO} FISA systems that have not been certified within two years, 
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+ (U/FORO) Systems with a major upgrade affecting compliance functionality, 
or 


e (U//FOCOY Systems planning to process under a new authority (e.g., addition 
of FISA data). 


(U//FOUCy Owners of all affected FISA systems were notified in June 2014 that they 


should complete recertification, if their systems met these guidelines, within six 
months [ofthe repositories BNO) 08.36 


are schediiléd to be decommissioned and were exempted from this 
requirement. 


(U) Data flow management 


tEHREE-TO USA, FVEY) USSIDs define a set of controls and operating procedures 
for the United States SIGINT System. USSID DA3511, Data Acquisition 
Directorate Targeting and Data Flow Management, defines a process intended to 
assure that only desired SIGINT is delivered to intended users in the time frame and 
format required. 


is responsible for governing end-to-cnd 

y data collection: houses the access data 
laflagers responsible-for-testitig and setting up new data flow paths that traverse the 
D-processing-infrastructure: -Fhe Data Governance Team governs the 
processing and distribution of data collected within NSA’s SIGINT system, oversees 
the documentation and review ofall new dataflow requests, and implements 
processes designed to ensure that NSA compliance standards are maintained 
throughout the development of new data flows. 


HSASHREE FO HSA FYE The Data Governance Team manages the data flow 


process. Customers must complete Dataflow Management Requests (DMR) to initiate 
N or modify data flows. DMRs require detailed information, including the status of 
HIJ- system certifications, system accreditation plans, types of data to be processed 
ia Sase s021 TENER), authorities for collection, and 
documentation of data flows. DMRs are evaluated and approved by a triage team 
Upon triage team concurrence, the DMR is 
given to thel Targeting and Tasking and Data Delivery organizations for 
testing and implementation. DMRs.are complete once all required approvals are 
obtained and data flows become operational. ~ Tan 


(b)(3)-P.L. 86-36 


(b)(3)-P.L. 86-36 

{U) Data tagging 

(U/FO89) Historically, NSA has managed data access by implementing restrictions 
on data storage, including the use of logical database partitions. Data flows were 
designed to place data in these partitions, for example, according to the FAA §702 
certification under which the communications were acquired. To access the data, 
personnel had to have appropriate training and be given access to certain systems and 
missions matching the data partitions where the data was stored. 
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(U/FOHO) As NSA new mechänisims for _~-(b)(3)-P.L. 86-36 
storing and accessing data arc being developed. Data tags are created for-each fi 
collection record, identifying the authority under which the data.was collected, as “ 
well as several other pieces of information used in managing the data over its life.” 


ing 


Thus, to access raw data acquired under the (b)(3)-P.L. 86-36 
certification for FAA §702, analysts must be approved for access to such collection as 
part of an authorized mission and fulfill the training requirements for the authority. 


(U//FOUO} Data tags also serve to maintain compliance with limitations on the scope 
of queries, as well as age-off and purge requirements. 


(U//FOBS} Table 32 summarizes the repository provisions of the FAA §702 
targeting and minimization procedures and the controls NSA implemented to 
maintain compliance. 


(U) Table 32. FAA §702 Repository Provision and Controls 
(U/FOUO). 


(U) All systems processing FAA §702 data must 
complete a security accreditation process. 

(U) All FAA §702 repositories are certified 
compliant with the legal and policy regulation 
protecting USP privacy. 

(UIIFEE} Data flows must be approved w] 
and SV to ensure compliance. 


(U/FO86) Data tags are applied to- identify the 
authority under which the information was 


acquired. The tag: algo serve to manage access 
e = ata. [ | 


(UiFEHS}- 


(U/FECSy NSA has established processes for 
ensuring that raw traffic is labeled and stored 
only in authorized repositories. 


(b)(3)-P.L. 86-36 
(U) Access and Training 

(U) Provisions of FAA §702 certifications 
(U) The FAA §702 targeting procedures state that NSA will develop and deliver 
training to ensure that intelligence personnel responsible for approving the targeting 
of persons under that authority, as well as analysts with access to the raw data 
acquired pursuant to FAA §702, understand their responsibilities and the procedures 
that apply to this acquisition. 


FOR SECREFSH/NOFORN- 


spe (b)(1) 
(b)(3)-P.L. 86-36 
(b)(3)-50 USC 3024(i) 
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(U) Control framework for restricting access to FAA §702 collection to 
authorized personnel 

—CPSHSTANF NSA requires that users having access to FAA §702 data have one or 
more credentials, be current on the required training, and be reper to approved 
missions. W 


redenta is is needed to Ras FAA 


is required to access.data Collected under the 
FAA §702 certifications. 
m” 


TERE ve) Obtaining the credential To obtain any ofthe 
credentials, a request must be submitted ol] Only individuals who 
hold the requested credential may. submit someone for the credential. The request is 
first reviewed by-the Associate Directorate for Security and Counterintelligence (Q) 
-to determine whether the applicant has satisfied certain security criteria. If approved 
by Q, the request is forwarded to SV for final adjudication. SV reviews the request, 
i verifying. that the individual is current on required training and that the request 
es a valid mission justification... If all requirements are met, SV approves the 
for entry to NSA’s security database: retrieves 
j iformation röm and several other corporate authoritative source systems that 
provide the.status of individuals’ approved missions, training, and clearances. Using 
this information; calculates daily aist.of individuals who qualify for 
FAA §702°access. NSA systems use the information from to determine 
what data the individuals are authorized to access. SID maintains the authority rules, 
which determine whatL__|verifies for individuals to access data. 


U/FE8O) Obtaining access to mission resources SID policy designates 
as NSA’s tool for the proper administration and implementation of 


* access to SIGINT data in NSA repositories; it facilitates the administrative process of 
acquiring access to tools and databases. Access sponsors submit individuals for 
access. The sponsors determine the appropriate SIGINT authority for users, 
assigning them to a mission documented in the mission correlation table, a master list 
of all analytic production elements that have been approved for SIGINT missions. 
The table facilitates database access by providing a record of databases needed to 
perform SIGINT missions. The access sponsor nominates a user for access to raw 
SIGINT databases, sources, and tools in support ofa stipulated mission. The sponsor 


ensures that auditors are assigned to the mission to review queries_of mission 
„auditable. data: feeds user access.information of i 


86-36 


72 cuiPeweyThe[-__ foredentiät: was-originally establisiëd for-FISA data ani in ining jn NSA’s 
Standard Minimization Procedures for FISA information... Later, ditterent versions of} 


E established for particular categorics-oi ermits access to FAA §702 data 
acquired before the establishment of a 
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(UOUS Maintaining access Automated and manual procedures provide 

assurance of continuing eligibility to access FAA §702 data. Users and access 

sponsors are responsible for removing users’ access when they no longer qualify for a 

mission. Each{—=d mission is also required to have an intelligence 

oversight officer who performs periodic reviews to ensure that individuals assigned to 
_ missions are still eligible for access. 


(U//FOUO} Enforcement of required training is supported by the production of 

automated notices to individuals well in advance of their training expiration date. 

Notices are produced at regular intervals until the training is completed. If training 
“expires, the individual is automatically removed from access to FAA §702 data. 3 


~(CHYREL-FOUSA-EVEY) calculates daily a list of individuals who 
qualify for FAA §702 access: interfaces with several corporate 
ka authoritative source systems that provide the status of individual’s approved missions, 
> training, and clearances. For systems that usc data tags, user information in 
f Cc iis compared with the data tags applied to the communications before 
giving the individuals access to the data. If the user does not possess the 


combination of requirements identified in the data tag, access to that data is denied. 


(6)(3)-P.L, 86-36 


(U//FORS) Appropriate and adequate training NSA/CSS Policy 1-23 requires 
that Agency personnel complete 10 training annually. 


(U//FOCOy To qualify for access to data acquired under an FAA §702 certification, 
persons must have completed specific training courses within the last 12 months. All 
courses are developed by NSA’s ADET in conjunction with the OGC, mission 
subject matter experts, and mission compliance professionals. All NSA analysts who 
perform targeting functions must take the first three courses listed next; the last is 
mandatory only for personnel requiring access to FAA §702 data. 


- (U/FOE¥E} OVSC1000 - NSA/CSS Intelligence Oversight Training - the 
Agency’s core IO course, provided to the workforce to maintain a high degree 
of sensitivity to and understanding of intelligence laws, regulations, and 
policies associated with the protection of U.S. person privacy rights. 
Personnel are familiarized with the major tenets of the four core IO 
documents: Executive Order 12333, as amended, Department of Defense 
Regulation 5240.1-R, Directive Type Memorandum 08-052, and NSA/CSS 
Policy 1-23. OVSC1000 is web-based and includes knowledge checks for 
proficiency.” 


M * (U/FOE8O) OVSC1100 - Overview of Signals Intelligence Authorities - the 
(b)(3)-P:E: 86-36... SIGINT core IO course, provides an introduction to various legal authorities 


Aen isel ls not verify the individuals’ FAA §702 tainmg satus  ] 


M (U/POUO) E.O. 12333, United States Intelligence Activities; DoD Regulation 5240.1-R, Procedures Governing 
the Activities of DoD Intelligence Components That Affect U.S. Persons; DTM-08-052, DoD Guidance for 
Reporting Questionable Intelligence Activities and Significant or Highly Sensitive Matters. 
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governing NSA operations. Upon completion, personnel should be able to 
identify applicable surveillance authorities at a high level, define the basic 
provisions of the authorities, and identify situations requiring additional 
authority. OVSC1100 is web-based and includes knowledge checks for 
proficiency. All personnel in the U.S. SIGINT System (USSS) working under 
NSA SIGINT authority with access to raw SIGINT are required to complete 
OVSC1100. 


(U/FERR) OVSC1800 - Legal Compliance and Minimization Procedures - 
an advanced SIGINT intelligence oversight course which explains policies, 
procedures, and responsibilities within missions and the obligations of the 
USSS to protect U.S. person and foreign partner privacy rights. OVSC1800 is 
web-based and includes competency exams 

Personnel who do not pass the test after attempts must 
complete remedial training. “All analysts in the USSS workinig.under DIRNSA 
SIGINT authority with access to raw SIGINT are réquired-to comple 
OVSC1800 annually. (my) -P.L. 86-36 


(U//FE8O) OVSC! 203, FISA Amendments Act (FAA) Section 702, explains 
the legal policies and targeting and minimization procedures FAA mandates, ’ 
The course is web based and includes“a competency exam 


DEAR Përsonnel who do not pass the test = 
attempts must complete remedial training. All analysts who require access to 


FAA §702 data must take this course annually. 


(U//FO8O} Other courses are also required before analysts can access NSA targeting 
tools. The first four of these are required for all NSA analysts who perform targeting 
functions, while the last is mandatory only for those analysts targeting under 

FAA §702. 


(U/FOYOS) CRSK1300, Foundations of Smart Targeting, a web-based course 
that covers targeting policy, processes and concepts, available assistance, 
targeting tools, research, and collection. 


(U/FO¥O} CRSK1301, Foundations of Smart Targeting: Research, available 
in web-based format beginning January 2015, the course focuses on elements 

of the targeting process requiring research, the research process, and the tools 

and databases used in research. 


(U//FOBO) CRSK1302, Foundations of Smart Targeting: Targeting, a web- 
based course that includes collection source considerations, the target 
workflow process, creating TRs, finding and assessing collection results, and 
documenting sources. 


(U//FORO} CRSK1303 , Foundations of Smart Targeting: Targeting 
Maintenance, a web-based course that focuses on resolving compliance 
problems, managing traffic, and maximizing the intelligence value of tasked 
selectors. 
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e (U/FOS) CRSK1304, FAA Section 702 Practical Applications, a web- 
based course required for all NSA analysts who conduct targeting under 
FAA §702. It is scenario -based and addresses compliant TRs, targeting 
maintenance, and incident reporting. 


(U/FOEOy Adjudicator training In addition to the above courses, mission 

personnel who grant final approval of FAA §702 TRs must take a course on the 

approval process, be approved by their FAA §702 mission lead, receive hands-on 

training by personnel with adjudication experience, and be approved by S2 Mission 

and Compliance_staff. Upon approval, elements in SID will upgrade the individual’s 

access role inf |to allow adjudication of TRS: } “(b)(3)-P.L. 86-36 


e (U/FOU®) CRSK1305 - FAA Section 702.Targeting Adjudication — a course 
that explains NSA resources for-validating selectors and foreignness 
explanations in JTRS, determining whether submitted TRs should be 
approved, and follow-up actions after a TR has been approved or denied. 


(U) Access requirements for technical personnel to FAA §702 repositories 


(U/FE8O) Technology Directorate personnel who directly support repositories and 
systems that contain raw SIGINT data or activities that utilize raw SIGINT must 
complete OVSC1000, OVSC1100, and OVSC1806 training annually. OVSC 1806 is 
the same course as OVSC1800 (see above) but has an additional lesson on the system 
compliance certification process. Technical personnel who support FISA systems 
and whose responsibilities may include direct access to FISA data are also required to 
attend a briefing administered by OGC and TV. Upon completion of the briefing, SV 
ipdates| fieri the user’s attendance at the briefing and their 


authorization for access. 


~" (U) Identification of access vulnerability if] 


a8 part of its access control. ” 


an individual with authorized access to 
~ FISA data discovered that FAA §702 data had been included in the results of a query 
eS eames The individual had received FAA §702 training when she was 


more information on 


° ibah- -P.L. 86-36 
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assigned to a different mission so her access to the data was not in violation of the 

FAA §702 targeting and minimization procedures. However, the access did violate 

SID policy because the mission to which the individual was assigned was not 

authorized for FAA §702.”” Investigation of the occurrence led to the discovery that 

ersonnel without the required FAA §702 training could access FAA §702 data in 

if they have eed credential.” To date, no incidents have 

been identified of individual s who have not received FAA §702 training querying 
and receiving FAA §702 data.” 


(U/FOUE5 When SV personnel discovered this vulnerability, they worked with TD 

to initiate corrective measures. ee ee updated to 

add new COIs to FAA §762 data collected on or after that date. The new COIs 

emulate the access.controls required for other FAA §702 systems, includin, 

controlling access based upon the authority under which it was obtained. — 
a.sitnilar process will be implemented to address access’¢ontrols for data 

A review is currently underway regarding action to take 


(U/PORS) Table 33 summarizes the access and training provisions of the FAA §702 
targeting procedures and the controls implemented by NSA to maintain compliance. 


(b)(3)-P.L. 86-36 aes : 
(U) Table 33. Access and Training Provisions and Controls 


(ureo 


(U) NSA will develop and deliver training (U/FOUG) NSA has a list of courses required 
regarding the applicable procedures to ensure annually for analysts to qualify for access to data 


that intelligence personnel responsible for acquired under FAA §702. This includes 
approving the targeting of persons under OVSC1203, a course specific to FAA §702. 

FAA §702, as well as analysts with access to (U/FEHO} To access NSA targeting tools, all 

the acquired foreign intelligence information, analysts must complete four courses on targeting. 
understand their responsibilities and the Analysts targeting under FAA §702 must also 
procedures that apply to this acquisition. take a course on application of the authority. 


(U/FEHE) Adjudicators (who grant the final 
approval of TRs under FAA §702) must also 
complete a course on adjudication specific to the 
authority. 

(U/FO8C) Technology Directorate personnel 
who support FISA systems must complete 
OVSC1000, 1100 and 1806 annually and attend a 
briefing administered by OGC and TV. 


1 CHREE-FO-ASite EEX) SID Management Directive 421 states that FISA access is based on current mission 

need and does not follow individual analysts when they move to new missions or locations unless specified in the 

document authorizing the assignment. Persons changing missions, jobs, or locations must provide re-justification to 
(B)(3)PL.-8 6-36" through their management chains for FISA access or access to unminimized, unevaluated content in the new 


positions. — 
78. (U//PORO) Without {____] credential, analysts cannot access FAA §702 data and most other types of FISA 
data. Thi credential was originally established for FISA data and requires training in NSA’s standard 


minimization procedures for FISA information. 


TLERSHSHANEY OfNSA’s [sonr missions authorized for FISA access[ Jare also authorized to access 
FAA §702 data. a E 


FOR SEERETSHNOFORN- on) 
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{U} NSA has established processes to ensure {UAF6HE) Access to FAA §702 foreign 
that raw traffic is accessible in authorized intelligence and the ability to submit and approve 
repositories only to those who have had the targeting under the authority require certain 
proper training. credentials and access to mission resources 


Ka uono ]nsa implemented an approach to query review that uses stratified sampling based upon 


(databases, sources and tools). The approval is 
not granted unless the required training has been 


completed. (See above information regarding 


access:) 


“(b)(3)-P.L. 86-36 


(UFS 


(U) Querying Repositories of Collected FAA §702 Data 


(U) Provisions of FAA §702 certifications—q ueries 


(U) Minimization procedures permit use of computer selection terms to scan storage 


media containing communications acquired pursuant to FAA §702 and to select 


communications for analysis with certain limitations. Query selection terms (e.g., 


telephone numbers and key words and phrases) must be formed in a manner 


reasonably likely to return foreign intelligence information. Collection obtained 


through NSA upstream Internet collection techniques may not be queried using 
selection terms of an identifiable USP. 


{U} Compliance controls —query compliance 


(U/AFOBO) Queries of raw SIGINT databases are subject to USSID CR1610, SIGINT 
Production and Raw SIGINT Access, revised 12 February 2013, which requires that: 


e (U/FO¥O) All user organizations designate two auditors to review daily 


those queries presented for their review, © 


+ (U/FOE8SO) Auditors be familiar with the targets and types of queries 
executed within their missions, 


+ (U/FOEO} SV provide training for new auditors on their responsibilities and 


certify them as compliant before conducting audits, *! 


+ (U/FOUO) SV conducts periodic super audits of interactive raw SIGINT 


database queries, verifying that selectors were foreign on the date the super 


audit is performed and examining the query terms to determine compliance 


with NSA policy,” 


* (U/FEUC} NSA maintain a non-editable file of all such database queries for 


a minimum of one year, 


historical rates of queries identified as “reportable” to determine the queries from each database to be presented for 


auditor review. The| 


developing a process to provide additional oversight for queries against this system. 
5! (Uj FORO) Auditors are now required to take NSA Raw Traffic Database Auditor Training (OVSC3101) every 
two years‘and must be cleared to the security level required for the authority under which the analyst performed the 
-query-Subject to audit. 
à be (U//FOBO) The system used to test foreiguness|——«dzs does not maintaii an historical record of 
` =” foreignness of the tasked selector. g 


(b)(3)-P.L. 86-36 
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e (U/FOY All queries be driven by a foreign intelligence purpose, and 


¢ (U/FO¥S) An audit record of the selection terms be created and reviewed per 
NSA policy by the originating organization. 


(U/AFOVO) Mission auditors are assigned to each mission using held 
tool described in the access section. The tool-requifés that missions have designated 
auditors before new.personnel can be approved for the missions. Auditor 
qualifications include target knowledge expertise in the mission area, familiarity with 
the type of queries to be reviewed, ability to mentor analysts to improve query 
execution, attainment of all credentials required for the data reviewed, and 
completion of all required training. Queries presented to auditors are required to be 
audited within 24 hours of reccipt or on the next normal duty day. 


(b)(3)-P.L. 86-36 


(U/PSU) SV developed OVSC3101, NSA Raw Traffic Database Auditor Training, 
to prepare auditors for post-query review. The course provides instruction on use of 
the corporate query audit system, incident identification, incident reporting, and 
maintenance of records of audits (to support SV super audits and DoJ/ODNI 


reviews). 
The ] system, a legacy system which 
predates, USSID ERI610 and i is scheduled to be decommissioned, does maintain a log 


-~of queries for five years. The system has not yet been modified to provide these 


V-is-developing a procedure to perform audits of these queries.” 
(by(1 

(U/FOUO} Queries not using USP selection terms ues L. 86-36 
(U//FO8O) FAA §702 systems provide records of queries to the corporate logging 
and auditing system for user generated queries of raw SIGINT content. * These 
records are the source for daily post-query reviews by auditors and SV query 
oversight. These systems also maintain records of query reviews. 


(U/FEUCT Auditors examine querics to determine whether they have a valid forcign 
intelligence purpose. Auditors also evaluate query selection terms to determine 
whether they were constructed so as to avoid obtaining information on USPs. The 
review is intended to balance the pursuit of foreign intelligence and protection of 
USPs’ Fourth Amendment rights. When a tasked FAA §702 selector is used as a 
query term and the selector is foreign, the corporate query logging and auditing 
system does not present the query for review by an auditor because the term has been 
reviewed by a releaser and an adjudicator as part of the TR approval for tasking 
during the targeting process. ** Ifa tasked selector is used as a query term and the 


8 (U/FOUO) One of theL__ does not send query records to the NSA corporate logging and -(b)(3)-P.L. 86-36 
uoiting system. This system is scheduled to be decommissioned. 


3% (U/FOUO) The query auditing and logging system obtains current tasked selectors tom Jaia verifies their 
foreignness against NSA SIGINT databases. 
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selector is not foreign, it is subject to review by an auditor. Queries using selection 
terms that are not approved selectors are subject to auditor review. 


(UIF-OUG) Provisions of FAA §702—queries using USP selection terms 


(U//FORO) A 3 October 2011 FISC Order approved the use of modified 
minimization procedurcs that permit queries of data collected under the authority only 
for foreign intelligence purposes, using USP query terms subject to specific NSA 
review procedures and external oversight. Such queries can only be performed using 
FAA §702 telephony communications and Internet communications obtained from 
downstream collection. Use of USP identifiers to query FAA §702 collection must be 
approved in accordance with NSA procedures. NSA is required to maintain records 
of all USP identifiers approved for use as selection terms. These query procedures 
are subject to oversight by DoJ and ODNI. 


(UI/FOUE}) Compliance controls—queries with USP selection terms 


(U//FE6O) NSA adopted internal procedures governing use of USP identifiers for 
queries of communications collected under FAA §702. Upstream Internet collection 
is not approved for such queries. DoJ and ODNI reviewed and approved these 
procedures. The Senate and House Intelligence Committees were informed of these 
changes. There are three sets of procedures for approval of these queries: 


* (U//FO8S) Querics of metadata, 
* (U//FO@O) Emergency queries of content, and 
+ (UFOO Non-emergency queries of content. 


(U/FOBO) NSA’s annually required course on FAA §702, OVSC1203, includes 
training on the use of USP identifiers to query raw data collected under the authority. 
The NSA FAA web page also contains the documented and approved procedures for 
these queries. Although metadata queries are not subject to pre-approval, the query 
and a foreign intelligence justification must be recorded to support external oversight. 
The justification must document the analytic knowledge linking the selector to a 
foreign target or foreign intelligence purpose. Content queries using USP identifiers 
are subject to pre-approval by $2, SV, and OGC. SV maintains records of all queries 
using USP identifiers and includes such queries in its query oversight. 


(U) Table 34 summarizes the query provisions of NSA’s FAA §702 minimization 
procedures and the controls implemented by NSA to maintain compliance. 
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(U) Table 34. Query Provisions and Controls 
“ISTSTIRED TO CSAS 


(U) Queries of FAA §702 databases may only be 
conducted for foreign intelligence purposes and are 
subject to review by mission auditors who must 
have target knowledge expertise in the mission area 
and have completed training on raw traffic database 
auditing. The review evaluates whether the query 
was for a valid foreign intelligence purpose. 
(UHRO SV conducts periodic super audits of 
these queries. 

SHUSHR C-HSA- PY NSA maintains a file of 
all database queries for at least one year in the 
corporate logging and auditing system for user. 
generated queries öf raw SIGINT content: 


(U) Storage media (data repositories) 
containing communications acquired 
pursuant to FAA §702 may be queried to 
identify and select communications for 
analysis. Query terms, such as telephone 
numbers and key words or phrases, wil! be 
limited to those selection terms reasonably 
likely to return foreign intelligence 
information. 


(bi(3)-P-L. 86-36 


(U) Identifiers of an identifiable USP may hot. 
be used as terms to query any Internet 


(U/AFO6HO) All personnel receive annual training on 
USP query procedures which can only be performed 
communication acquired through upstream for foreign intelligence purposes against FAA §702 
Internet collection. Use of USP identifiers-as | telephony communications _and Internet 

terms to query communications must be ™~. SL: ae | 
approved in accordance with NSA ea j SV web page provides Instructions 
procedures. NSA will maintain records of ail for requesting approval of such queries, using a 
USP identifiers approved for use as selection | process that DoJ and ODNI approved. 

terms. (UFOt; Queries of upstream Internet collection 
using USP terms are prohibited. 

(U/AFOYE} Queries of metadata are not subject to 
pre-approval, but the query and foreign intelligence 
justification must be documented. 

(UFOS Content queries using USP terms follow 
request and documentation procedures and are 
subject to pre-approval by SV and OGC. 
(U/FE8S) SV maintains records of all queries 
using USP identifiers and includes these queries in 
its oversight of query review. 


(UFOS) DoJ and ODNI wiil conduct 
oversight of NSA's queries using USP 
identifiers. 


(U) See the Oversight section. 


(U) Sharing and Dissemination 
(U) Sharing 
(UFOS) As stated in the Access and Training section, targeting procedures require 
that all personnel accessing or otherwise handling raw data acquired pursuant to 


FAA §702 must be current on training for the authority. This imposes restrictions 
even within NSA on the use of information obtained under this authority. 


(U) Unminimized communications acquired pursuant to FAA §702 may be provided 
to the CIA and FBI for targets each has identified to NSA. Each agency has 
minimization procedures for handling data collected under this authority and must 
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handle communications provided by NSA in accordance with those procedures. 
Currently, unminimized data shared with the CIA and FBI is limited to 
communications derived from downstream collection. 


(U) Dissemination 


(U) The NSA minimization procedures apply to dissemination of all information 
acquired under FAA §702, including non-publicly available information concerning 
USPs acquired by targeting non-USPs approved under the NSA targeting procedures. 
There are several restrictions on dissemination of information acquired under this 
authority. 


(U//FEUO) Discrete Communications within an MCT Analysts seeking to 
disseminate information obtained from a discrete communication within an 
MCT must assess whether the communication is eligible for dissemination 
(e.g., not a domestic communication) and document that assessment in the 
comments field of the reporting tool in a manner that supports internal and 
external oversight. 


(U/FOROy Attorney-Client Communications Dissemination of USP 
attorney-client privileged communications must be reviewed by the NSA 
OGC. NSA must cease review of communications between a person known 
to be under criminal indictment in the United States and an attorney 
representing that individual in that matier, segregate such communications, 
maintain a record of the identified attorney-client communications, and notify 
DoJ so that appropriate procedures may be established to protect such 
communications from review or use in a criminal prosecution, while 
preserving foreign intelligence information in the communication. 


(U/FOGO) Domestic Communications A domestic communication may 
only be disseminated if DIRNSA has approved a destruction waiver for that 
communication, documenting its cligibility for retention and dissemination. 
Such communications must contain information that meets one of four 
criteria: significant foreign intelligence, technical database information 
necessary to assess acommunication’s vulnerability, evidence ofa crime, or 
information concerning a threat of scrious harm to life or property. 
Communications acquired when there was no reasonable belief at the time of 
tasking that a target was a non-USP located outside the United States are not 
eligible for destruction waivers. Ifa waiver has been obtained, NSA may 
share domestic communications that do not have foreign intelligence value but 
are believed to contain evidence of a crime with appropriate federal law 
enforcement authorities in accordance with applicable laws and regulations. *° 
Without a destruction waiver, NSA is authorized to notify the FBI if 
information in a domestic communication indicates that a target has entered 
the United States. The Agency may also provide information to the CIA and 


35 (U) 50 U.S.C. §§1806(b) and 1825(c) require that the communications be released with a statement that the 
Attorney General must approve use of the information in a criminal proceeding. USC §1806(b) is not limited to 
FAA §702 domestic communications; it applies to all disseminations to law enforcement. 
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FBI for collection avoidance purposes. NSA may retain domestic 
communications shared with the CIA and FBI for six months and must restrict 
further use or dissemination of communications whose destruction has been 
waived by placing the identifiers for these communications on the MPL. 


(U) Foreign Communications of or Concerning USPs These 
communications may be disseminated, ifthe identity of the USP is deleted 
and a generic term substituted so that the information cannot reasonably be 
connected with an identifiable USP. This process is referred to as “masking.” 
Otherwise, dissemination of intelligence based on such communications may 
only be made to recipients requiring the identity of the USP to perform their 
official duties and only if at least one of eight additional requirements is met: 


© (U) The USP consented to dissemination or the information is publicly 
available, 


o (U) The USP identity is necessary to understand the foreign 
intelligence information or assess its importance, 


o (U) The communication or information indicates that the USP may be 
a foreign power, an agent of a foreign power, residing outside the 
United States and holding an official position in the government or 
military forces of a foreign power, a corporation or other entity owned 
or controlled directly or indirectly by a foreign power, or acting in 
collaboration with an intelligence or security service of a foreign 
power and the USP has or has had access to classified national security 
information or material, 


o (U) The USP may be the target of intelligence activities ofa foreign 
power, 


o (U) The USP is engaged in unauthorized disclosure of classified 
national security information (only if the originating agency has 
verified that the information has been properly classified), 


o (U) The USP communication was authorized by a court order and the 
communication may relate to the foreign intelligence purpose of the 
surveillance, 

o (U) The USP may be engaging in international terrorist activities, or 

o (U) There is evidence that the USP is engaging in a criminal activity. 

(U) Foreign Communication of or Concerning a Non-USP may be 


disseminated in accordance with other laws, regulations, and policies, 
provided that the communications are eligible for retention under FAA §702. 


(U) Collaboration with Foreign Governments Consistent with the authority 
accorded NSA by E.O. 12333, the Agency maintains cryptologic liaison 
relationships with certain foreign governments. Information derived from 
FAA §702 collection that has been evaluated for foreign intelligence and 
minimized for USP information may be disseminated to these foreign 
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governments. “ Dissemination of information of or concerning a USP must 
comply with the restrictions described in Foreign Communications of or 
Concerning USPs above, as well as with those described for MCTs above. 
NSA is permitted to disseminate unminimizcd communication s to forcign 
partners to obtain technical or linguistic assistance to determine the meaning 
or significance of the information. *” 


(U) Sharing FAA §702 with authorized NSA personnel 


(U/FOBE) Analysts authorized to access FAA §702 communications are trained to 
ensure that individuals with whom they wish to discuss such communications have 
appropriate credentials. | permits review of an individual’s training and 
clearances. The training also addresses NSA policy which states that e-mailing 
unminimized and unpublished data to anyone, even other NSA personnel, violates 


compliance controls, such as effective auditing. ne 
(b)(3)-P.L. 86-36 


(U) Provision of unminimized communications to CIA and FBI 


(U//FEY¥O) As described in the Targeting section, NSA must approve selectors 

nominated by these agencies based upon compliance with NSA targeting procedures. 

For approved selectors, Internet communications 
wa pow are routed to the requesting agency 

upon information..in-the-TR.-NSA policy states that analysts should not share 
minimizéd-and unevaluated communications received pursuant to this collection 
vith the CIA and FBI for selectors tasked on behalf of those agencies; collaboration 
on such collection is permitted when analysts from the CIA or FBI access the 
unminimized communications from their own agencies’ FAA §702 data repositories. 
The required annual FAA §702 course, OVSC1203, provides training on these 
restrictions which are designed to assure accountability of dissemination if recall or 
purge becomes necessary. 


(3)-P.L. 86-36 


(U) General dissemination requirements 


(U/F6EC) Limits on use of reported FAA §702 communications Analyst 
training (OVSC1203) instructs that “use or disclosure of information derived from 
FAA §702 communications in any criminal proceeding, immigration proceeding, or 
any other legal or administrative proceeding is prohibited without the advance 
authorization of the Attorney General of the United States.” To prevent such use, 
NSA internal procedures require that disseminations of FAA §702 derived 
information include the “Intelligence Purposes Only” caveat that prohibits use of the 
information without approval. This is included in the FAA §702 training. 


% (U/AFOBO) Collected traffic that has been evaluated to determine whether it contains foreign intelligence and has 
been subject to minimization to protect USP identities is referred to as evaluated minimized traffic or EMT. 

*” (U) Dissemination for technical or linguistic assistance is subject to specific restrictions limiting the use of the 
information by the foreign government to translation or analysis of the communications, allowing dissemination 
only to the individuals performing the analysis or translation, restricting the foreign government from making a 
permanent record of the information, and requiring destruction or return to NSA of the information disseminated. 
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(U//FOUC) Reporting documentation Consistent with the purge requirements in 
the minimization procedures, NSA is required to account for and must be able to trace 
its disseminations based on FAA §702 communications. The annual training 
addresses the documentation that analysts must complete to fulfill this requirement: 


e SNP The collection authority (specific FAA §702 ae | 
for each 


piece of traffic used in the report, and (b)(3)-P.L. 86-36 


e (U) A source verification statement documenting an identifier for each piece 
of traffic and confirming that the source was not ineligible for retention or 
subject to purge. A new reporting tool, first introduced in 2013, performs the 
source verification automatically. Successful completion of this process with 
no flags confirms the traffic may be used as a source for reporting. 


—+{SHSHREL-FO-SA-- FYE -An NSA reporting policy document, Sourcing 
Requirement and Verification Guidance, ISS-054-10, revised 8 May 2012, provides 
reporting and dissemination guidance. The policy requires that individuals releasing 
reports verify that the reports do not contain information that should have been 
purged from raw SIGINT databases. This must be performed within 24 hours of the 
report release using the Master Purge List. SIGINT reporters are also required to 
include traffic source identificrs for all reports and enter source verification 
statements in the reporting tool to confirm that this review has been performed. 


SHSTEFREE-FO-HSA- HESS The primary analyst reporting tools used in 2013 

performed automated verification of sources against Sa je the time of 

__.. teport.release.--If noneof thé source records for the report matched records in the 

(6)(3)-P.L. 86-36 7 purge system, the report would be released. If a match to the identifier for a purged 

record was found, the release would be stopped and the individual releasing the report 
would be notified. The policy requires that a manual source verification check be 
performed for reports released through means without automated source verification. 
In 2014, a new analyst reporting tool was implemented that also includes automated 
source verification (see the Purge section). 


(U) Disseminating communications involving MCTs 


(U//FORO) The FAA §702 annual training course, OVSC1203, addresses procedures 
that analysts must perform for upstream Internet collection containing MCTs to 
comply with the minimization procedures. The training identifies the requirements 
for disseminating single discrete communications within MCTs. The course also 
explains requirements for documenting the analysis that supports the decision that 
communications are eligible for reporting. An NSA reporting policy document, 
Source Record Entries for Reporting from FAA 702 Multiple Communications 
Transaction, ISS-185-11, requires that compliance be documented in NSA reporting 
tools. SV performs oversight of the documentation supporting use of certain MCTs 
for reporting (see the Oversight section). 
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(U) Disseminating attorney-client communications 


(U//FEBO} In OVSC1203, analysts are trained on the requirement that NSA OGC 
personnel pre-approve disseminations of information involving USP attorney -client 
privileged communications. 


(U//FE8O} Disseminating domestic communications Dissemination of domestic 
communications is limited to those communications for which DIRNSA has approved 
a destruction waiver documenting their eligibility for retention. ** Such 
communications must contain information that meets at least one of five criteria: 
significant foreign intelligence, technical database information, information necessary 
to assess communications vulnerabilities, evidence of a crime, or information 
concerning a threat of serious harm to life or property. (Destruction waivers are 
discussed in the Oversight and Purge sections.) Training on retention and use of 
domestic communications is included in OVSC1203. 


(U/H-O06) Disseminating foreign communications of or concerning USPs 


(U/FEBO} OVSC1203 addresses the requirement to exclude information from 
reporting that would allow a reader to determine a USP’s identity unless the identity 
qualifies for dissemination under the terms of the FAA §702 minimization 
procedures. NSA’s Information Sharing Services Group (ISS) reviews exceptions to 
this “masking” requirement. ISS handles requests for release of USP identities. 


(U) Disseminating foreign communications of or concerning a non-USP 
Foreign communications of non-USPs that contain foreign intelligence are eligible for 
dissemination subject to other applicable laws and policies. 


(U) Dissemination to foreign governments Information obtained under FAA §702 
may be disseminated to foreign governments in three ways (addressed in 
OVSC1203): 


88 (U/FOUOF A destruction waiver is not required for dissemination of domestic communications to notify the FBI 
of the target’s presence in the United States or to notify the FBI or CIA for collection-avoidance purposes. 
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|___} Such dissemination must be performed in accordance with special 
handling procedures and requires the approval of SV and OGC, who maintain 
records and report this activity to DoJ and ODNI. 


—(SHREE-FO-454-F¥EX Dissemination of collection acquired when post- 


tasking technical checks are not functioning properly In 2013, NSA identificd 
and reported an incident in which a system modification caused incomplete 
production of ifsc the Post=Targetitig section). Amended 
minimization procedures approved in November 2013 required application of 
procedures that NSA developed in response to the incident. These procedures 
included additional, verification of target location before FAA communications 
acquired during a period wher _] post-tasking technical checks are not 
functioning as intended are used for targeting and dissemination. These procedures 
were the subject of several communications across SID, as well as training sessions, 
and are documented on NSA’s FAA §702 web page. 


(U/FOEGO) Table 35 summarizes the sharing and dissemination provisions of the 
FAA §702 targeting and minimization procedures and the controls implemented by 
NSA to maintain compliance. 


(U) Table 35. Sharing and Dissemination Provisions and Controls 


{U} NSA has established processes to ensure 
that raw traffic is accessible in authorized 
repositories only to those who have had the 
proper training. 


(U) Annual FAA §702 training addresses analyst 
responsibility for ensuring that individuals with 
whom they wish to discuss FAA §702 
communications have the necessary credentials 
and training. 


(SHP SV adjudicates TRs from CIA and FBI. If 


approved, the agencies will receive unminimized 
communications 


(U) NSA may provide to the CIA and FBI 
unminimized communications acquired 
pursuant to FAA §702. These communications 


will be based upon targets that each agency For requested targets whose selectors 
identifies to NSA. i; are alrea k NSA D personnel will 
ibi dual-route] fto provide 
| [miemet communications to the 


(b)(3)-P.L. 86-3% requesting agency. 


({U) To account for and trace dissemination based 
on FAA §702 communications and to comply with 
purge requirements, analysts must document 
certain information for the data sources in each 
report, including the certification under which data 
was collected and a statement verifying that each 
piece of traffic used was confirmed as eligible for 
retention. This is addressed in annual analyst 
training and NSA reporting policy. 

(U/FOYC-) A new reporting tool, first introduced in 
2013, performs the source verification 
automatically. Successful completion of this 


(U) Minimization procedures require NSA be 
able to purge communications that meet 
specific requirements. 


b)(3)-P.L. 86-36 


(b)(3)-P.L. 86- 
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(U) A dissemination based on communications 
of or concerning a USP that are eligible for 
retention may be made, if the identity of the 
USP is deleted and a generic term or symbol 
is substituted so that the information cannot 
reasonably be connected with an identifiable 
USP. Otherwise, dissemination of intelligence 
based on communications of or concerning a 


USP may only be made to a recipient requiring 
the identity of such person for the performance 


of official duties and only if at least one of 
eight criteria is met. 


process with no flags confirms the traffic is not 
subject to purge and may be used as a source for 
reporting. 


{U} This requirement is consistent with NSA 
reporting policy for all reporting based on 
communications of USPs. 


{U} NSA analysts seeking to use a discrete 
communication. within an MCT for reporting 
must document that specified analysis has 
been performed. 


(U) All proposed disseminations of information 
constituting USP attorney-client privileged 


OGC before dissemination 


{U) Monitoring of attorney -client 
communications between a person known to 
be under criminal indictment in the United 
States and an attorney representing that 
individual in the matter under indictment must 
cease once the relationship has been 
identified. Acquired communications must be 
logged and the National Security Division of 
the DoJ notified so that appropriate 
procedures may be established to protect 
such communications from review or use in 
criminal prosecutions, while preserving foreign 
intelligence information contained therein. 


(UFOt) Minimization procedures require 
that domestic communications be promptly 
destroyed upon recognition, unless DIRNSA 
approves the communication for a destruction 


destruction waiver is approved may be 
disseminated. Ifa waiver has been obtained, 
NSA may share domestic communications 
believed to contain evidence of a crime with 
appropriate federal law enforcement 
authorities in accordance with applicable laws 
and regulations. Without a destruction waiver, 
NSA is authorized to notify the FBI if 
information in a domestic communication 
indicates that a target has entered the United 
States and may provide information to both 
the CIA and FBI for collection avoidance 
purposes. 
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communications must be reviewed by the NSA 


waiver. Domestic communications for which a 


(U/HPO86} Annual FAA §702 training includes the 
requirements for reporting based upon discrete 
communications within an MCT and the 
documentation required. SV reviews this 
documentation for certain MCTs. (See Oversight - 
SID Oversight and Compliance .) 


(U) Annual FAA §702 training addresses 
procedures analysts must perform to disseminate 
this data. OGC notifies DoJ NSD of such 
communications and advises mission personnel on 
dissemination. 


(U) Annual FAA §702 training addresses this 
requirement. 
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i NSA is permitted to 
disseminate evaluated minimized information 
to foreign partners. 


` NSA policy requires that 
dissemination of EMT acquired pursuant to 
FAA §702, other than as serialized product, must 
be approved by the SIGINT Director and a record 
of the dissemination provided to SV. 


(U) Annual FAA §702 training addresses the 
requirement that such dissemination must be 
approved by SV and OGC, who will manage the 
restrictions on this dissemination, keep the 
required records, and report to DoJ and ODNI. 


{SH If NSA seeks to use information “Sits Procedures addressing the requirements 
acquired pursuant to FAA §702 when there is for use of data acquired when post-tasking 
uncertainty about the location of the target of [CC þhecks are not functioning as intended 
the acquisition because post tasking F were communicated to mission personnel and are 
checks described in NSA’S 02 A documented on the FAA §702 web page. 
targeting procedures were not functioning 

properly, NSA will follow internal procedures 


(U) NSA may disseminate raw data to a 
foreign government for technical or linguistic 
assistance. 


for determining whether such information may 
be used. j 


(b)(1) 
(b)(3)-P.L. 86-36 


(U) Purge 


(b)(1) 
(b)(3)-P.L. 86-36 
(b)(3)-50 USC 3024(i) 


(U) Background 


SREE TO USA FYE The Post-Targeting section documents the requirements for 
destruction of communications and the processes that may identify a change in the 


target’s location or USP status. These processes include analyst review of 
a a E receipt of information from other 
“agencies. If the circumstances result in unauthorized collection, the non-compliant 
data will be identified and purged. *’ The period of the unauthorized collection is 
included in an incident report documented by SV and is used by the purge 


adjudicator, who initiates the purge process. 


(U/#QUQ} Compliance controls—pur ge of FAA §702 communications © 
Manual and automated controls support the purge process. SID’s Mission Support- 
Systems and Data Compliance Group, within the Directorate for Analysis and 
Production, developed a purge information web page to guide analysts. This page 
includes instructio ns to purge communications collected under FAA §702 authority. 
The directions call for analysts to contact SV, if they believe that purge of FAA §702 
data is required, because nearly all cases requiring purges also require incident 
reports. 


“SHSHREE-FO-USAEYEY> The purge web page describes two types of purges: 1) 


incident or parametric purges which are necessary when the reason for the purge 
affects all collection for a target or selector over a period of time (SID’s Mission 
Support-Systems and Data Compliance Group performs these); and 2) purge upon 


3 (U) “Purge” refers to the deletion of communications from systems that were acquired as a result of unauthorized 
collection or otherwise are not authorized for retention pursuant to the minimization procedures. 


From the time of collection. 
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(b)(1) 
118 (b)(3)-P.L. 86-36 
(b)(3)-50 USC 3024(i) 


DOCID: 4273474 


—FOR-SECREFSHNOFORS-— 
ST-14-0002 


recognition or analyst-driven purges. A parametric purge is applied, for example, to 
remove communications collected after a target is determined to be in the United 
States. Purge upon recognition for FAA §702 is, for example, required when: 1) 
NSA identifies a discrete domestic communication within an MCT, requiring the 
entire MCT to be purged or 2) alegally acquired foreign communication between a 
foreign target and a USP or a communication in which the subject is a USP found to 
have no foreign intelligence value. 


(U/FOCO) NSA has implemented a mission compliance standard for purges which 
states that, consistent with NSA’s FAA §702 minimization procedures and absent a 
destruction waiver, some or all communications data acquired under the authority 
must be purged if any of the following criteria are satisfied: 


e (U) The targeted person is confirmed or believed to be a USP, regardless of 
location (purge all communications), 


e (U) The targeted person was confirmed or believed to be in the United States 
at the time of collection (roamer) (purge collection acquired during period of 
US. travel), 


e (U) A person was incorrectly targeted (purge all collection), 


+ (U) The tasked selector is known or suspected to be used by a USP (purge all 
communications from known date of use by the USP), ” 


e (U) The tasked selector was known or suspected to be accessed from within 
the United States (purge communications from date of access), 


* (U) The tasked selector was tasked before being approved for tasking, 
remained tasked for any reason after collection was no longer authorized, or 
was tasked under the wrong authority (purge all collection), f 


e (U) An incorrect selector was tasked (purge all collection), 


+ (U) The communication is one in which the sender and all intended recipients 
were in the United States at the time of acquisition of the communication 
(purge affected communications), or 


¢ (UFFOUO}The communication otherwise qualifies as a “domestic 
communication” as defined in the FAA §702 minimization procedures and 
DIRNSA or the Acting DIRNSA has not executed a destruction waiver to 
authorize continued retention of the communication (purge affected 
communications). 


(U/FOERSC) Purge processes Purging involves four processes: nominate data to 
purge, adjudicate purge nominations, execute purge actions, and verify_purge actions. 
Other systems are certified to hold certain data copied or derived from: data 


(b)(3)-P.L. 86-36 
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objects. These systems have their own purge processes. The following description __ 
focuses on - se re i ie (b)(3)-P.L. 86-36 


(U/FOY9) Nomination for purge Nomination involves identification of the 
selectors and time period for which communications must be destroyed. For 

FAA §702, most are identified in incident reports, and SV determines whether purge 
is required and documents the date range for purge in the incident report. Purges of 
specific data objects are also initiated by analysts recognizing content that meets 
minimization criteria, but which is not an indicator of a compliance incident. This 
process is known as “purge upon recognition.” For this type of purge, the identifiers 
of the affected communications are placed on the MPL in “discover state” before a 
modified version of the process described below is followed. 


(U/FE8C} Adjudicating purge nominations Purge adjudication is the proccss 
whereby the purge adjudication authority, SID’s Mission Support-Systems and Data 
Compliance Group, determines the validity and accuracy of a nominated purge 
request, locates the data required for destruction, and places the data objects on the 
master purge list (MPL). The goal of adjudication is to ensure compliance with purge 
criteria without over-purging communications at the expense of mission. The 
adjudicator: 


+ (U/FOUS) Evaluates the nomination against the purge criteria (unless a 
determination was made during incident processing), 


* (U/FERS) Using logical parameters provided in the nomination, determines 
and issues search criteria for discovery of potentially affected communications 
in the : 


92 


-P.L. 86-36 


+ (UFB Enters identifiers of affected data objects in the MPL in “discover 
state” to prevent use as a source for new SIGINT reporting or other controlled 
uses and to initiate checks to determine if the objects were used in prior 
SIGINT reporting, 


* (U/FFOO) Manages the impact of pending or approved destruction waivers 
that may exclude specific objects from purge, 


¢ (U/FOUS) For data objects requiring purge, changes MPL state of their 
identifiers to “purge” and issues purge execute orders to the{ Je 
delete those objects, and 


¢ (U//FOTO) Records the decision to purge, release, or Tota the data 


objects in the corporate purge tracking system, which-retaitig""""(b)(3)-P.L. 86-36 


2 i an The discovery..process is performed by a limited number ofindividuals with special access for each 
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submitted data identifiers with historical records of actions taken and cross- 
references to original compliance incidents and/or purge nominations that 
caused them to enter the purge process. 


U/FOYO) For purges stemming from system or technical errors, collection and/or 
echnical subject matter experts are typically relied upon to conduct or assist with 
purge discovery. Some aspects of the adjudication process may be modified based on 
he details of the specific incident. 


U//FEBO) Executing purge actions The purge executor receives purge decisions 


containing the unique identifiers of the data to be purged, confirms reééipt-of the 
orders, changes the MPL state for those identifiers.to“piitge,” and.retains records of 
he purge action for five years. system owncrs are-résponsible for 
processing the orders, rendering the specified data unrécoverable, and confirming 
completion of purge execute orders. ; 


U/W) Verifying purge.actions Procedures are performed to provide 
additional assurance that system owners have purged required SIGINT data from 
el SV obtains random samples of data from the master purge list and 
determines whether the data objects have been removed from the systems selected for 
review. 


(U/-FOEBO) Automation to support purge processing Much of the purge process 


is performed manually. NSA is developing a system to automate more of the ‘purge 
proces in phases Beween[_ anna a s 


(U/#OU8) Reports affected by purge actions SIGINT reporting procedures 
require MPL checks to prevent publication of new reports with sources that were 
subject to purge. Additional measures are taken to detect and adjudicate already - 
disseminated SIGINT products affected by a compliance incident or specific data 
identified during purge discovery. Incident reports include information SV obtained 
from the mission team on reports issued related to the target or collection referenced 
in the incident. Another source of information is a daily query run by NSA's 
management information systems for SIGINT production against the MPL to identify 
reports sourced from communications listed on the MPL, whether because of an 
incident or purge-upon-recognition. 


(U/4FOCOy When SIGINT products with potentially "tainted" sources are identified, 
the Reports under Review (RUR) team coordinates with the mission team that issued 
the report, the purge adjudication authority, SV, and OGC, as necessary, to determine 
and complete appropriate actions. This may include requesting a destruction waiver 
to permit retention of the traffic and allow the report to stand, removing the MPL- 
listed traffic completely from the report and revising and reissuing the report, or 
recalling the report. The RUR team maintains a list of affected reports and their 
status that is updated when the report analysis is complete. The purge adjudication 
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authority makes necessary changes to the status of the communication identifiers on 
the MPL, depending on the action taken. 


(U/FE8O) Table 36 summarizes the purge provisions of the FAA §702 targeting and 
minimization procedures and the controls NSA has implemented to maintain 
compliance. 


(U) Table 36. Purge Provisions and Controls 


(UFS) Telephony communications and (UFS) Annual FAA §702 training addresses 
Internet communications acquired with the post-targeting review of target communications and 
assistance of the FBI from Internet service situations requiring destruction of communications, 
providers that are not approved for retention which most often require notification to SV and an 
under the standards set forth in the incident report. 

minimization procedures and that are known 

to contain communications of or concerning 

USPs will be destroyed upon recognition. 


(UFO Internet transactions acquired (U/FEHO) Annual FAA §702 training addresses 
through NSA's upstream collection techniques | post-targeting review of target communications and 
that do not contain information that meets the situations requiring destruction of communications, 
retention standards set forth in the which most often require notification to SV and an 
minimization procedures and that are known incident report. 

to contain communications of or concerning 

USPs will be destroyed upon recognition. 


(U) Internet transactions that are identified and | (U/A*6t16) Annual FAA §702 training addresses 
segregated pursuant to the requirements for post-targeting review of target communications and 
processing MCTs and are subsequently situations requiring destruction of communications, 
determined to contain a discrete which most often require notification to SV and an 
communication in which the sender and all incident report. 

intended recipients are reasonably believed to 

be in the United States will be handled as 

domestic communications. 


(U/FOXS} A communication identified as a (U/FEHS) Annual FAA §702 training addresses 
domestic communication (and, if applicable, post-targeting review of target communications and 
the Internet transaction in which itis situations requiring destruction of communications, 
contained) will be promptly destroyed upon which most often require notification to SV and an 
recognition, unless DIRNSA or the Acting incident report. 

DIRNSA approves a destruction waiver after 

determining the communication meets one or 

more of four specific conditions. 


(U/FE0) Any communications acquired (U/FO8S85 Annual FAA §702 training addresses 
through the targeting of a person who at the post-targeting review of target communications and 
time of targeting was reasonably believed to situations requiring destruction of communications, 
be outside the United States but is in fact which most often require notification to SV and an 
inside the United States at the time such incident report. 

communications were acquired and any BHREEFO1SA FYE In addition to an 
communications acquired by targeting a review of communications, investigation of 

person who at the time of targeting was [__|notices from others involved in processing 
believed to be a non-USP but was in fact a FAA §702 information, and receipt of information 
USP at the time such communications were from othér agencies may identify an-incident. If the 
acquired will be treated as domestic circumstances of the collection require an incident 
communications under these procedures. report, analysts and SV work together to determine 
the extent of the communications affected. This is 
used to document the purge parameters in an 
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incident report, which becomes the source for the 
purge adjudication process. 

(UFS) Communications identified for purge 
are subject to adjudication to determine whether 
the nominated data objects are consistent with the 
purge criteria, communications affected by the 
incident have been properly identified, destruction 
waivers (pending or approved) may affect the 


The adjudicator adds the relevant data 
to.the Master Purge List (MPL) to prevent its use in 
targeting and.reporting and issues purge execute 
orders to appropriate- systems. 

(UFOS) Owners of the FAA srol as 
execute the purge orders, remove data matching 
the included identifiers, and acknowledge 
completion of each order. 

(U/F@sSy NSA’s management information system 
for SIGINT reporting queries the MPL daily to 
identify data objects added to the list that may be 
associated with issued reports. The Reports under 
Review team uses this information and incident 
report data concerning reporting associated with 
the affected communications to follow up with 
mission personnel for recall or reissuance of the 
reports. 

(U/FORS) SV randomly samples records from the 
MPL, comparing them to the FAA §702 
repositories to assure completeness of purge. 


SHNA For information acquired pursuant to SHN SID guidance, NSA Procedures for the Use 


FAA §702 during a period when of FAA 702, 704 or 705(b) Collection, last revised 
post-tasking checks were not functioning + 15 November 2013, was updated to provide 
properly, resulting in uncertainty about the ` manual procedures for evaluating data when 
location of the target of the acquisition, if NSA | NSA's post-tasking[____ checks are not 
determines that the target is reasonably 
believed to have been inside the United States 
at the time the information was acquired, such- 
information will not be used and will be 
promptly destroyed. (b)(3)-P.L. 86-36 


properly functioning. 


(U) Retention of Data 
(U) Provisions of FAA §702 certifications 


(U//FE8O) The retention criteria in the minimization procedures apply only to 
communications not subject to purge based upon other minimization requirements 
(see the Post-Targeting section). 


(U//FEROy NSA minimization procedures state that telephony tesa = ~~ (b)(3)-P.L. 86- 
communications will be retained no longer than five years from the expiration date of 

the certification authorizing collection, unless NSA analysts have determined that the 
communications meet the retention standards set forth in the minimization 

procedures, for example, communications necessary to understand foreign 


intelligence information. Communications for which SIDDIR has approved longer 
retention and for which a purge was not otherwise required, may also be retained. 
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Communications for which DIRNSA has waived destruction may also be retained in 
accordance with the terms of the destruction waiver. 


(U) In general, NSA may not retain Internet transactions obtained through upstream 
collection techniques longer than two years from the expiration date of the 
certification authorizing collection. However, NSA may be able to retain certain 
Internet transactions longer, if at least one discrete communication within the 
upstream Internet transaction would otherwise meet the retention standards and each 
discrete communication within the transaction is to, from, or about a tasked selector 
or not to, from, or about a tasked selector and is also not to or from a USP or person 
reasonably believed to be in the United States. The minimization procedures also 
required destruction of all upstream Internet transactions acquired before 

November 2011. 


(U) Retention control procedures 


(U/FOG9 System certification The NSA system certification process 
implemented in 2010 (see the Repositories section) includes the Agency’s 
requirements for compliance with the FAA §702 retention limits established in the 
minimization procedures. To be certified, FAA §702 systems must: 1) limit retention 
of unminimized data records to the authorization and retention periods of the 
certification under which they were collected, 2) retain data with an approved age-off 
waiver beyond the normal age-off period (SID Director waiver), and 3) provide a 
means to identify data records to be retained beyond the maximum retention period 
specified by the collection authority under which it was obtained.” 


(U/FOEEO} Data tagging Data tags are now associated with most collection before 
it is made available to data stores accessible to analysts. The tags include the 
certification under which the communications were obtained, further supporting 
NSA’s ability to identify records that meet the criteria for removal from system 
repositories based upon age-off requirements associated with each certification. In 
2014, new data tags were implemented to distinguish among the retention periods for 
upstream Internet transactions (two years), downstream collection (five years) and 
telephony data (five years). 


(U/FO6O} Implementation and monitoring of age-off Processes have been . 
implemented to age-off data in FAA §70 Though the minimization (b)(3)-P.L. 86-36 
procedures require data be aged-off within two or five years of expiration of the 

certification, depending upon the source of collection, the processes NSA uses for 

determining age-off result in earlier removal of data (see Table 37).”* 


3 (UFOO) NSA’s FAA §702 minimization procedures provide no maximum retention period for foreign 
communications determined to contain foreign intelligence information. The age-off requirements apply to 
communications for which such a determination has not been made. 

4 (U/FOBO) The FAA 702 certifications are renewed annually. Expiration of the certification in effect for any 
collection would occur somewhere between | and 365 days of that collection. NSA applies age-off criteria to time 
of collection or recording date, not the expiration of the certification. 
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MSE ey 86-36 (U) Table 37. System Age-Off Procedures 


(b)(4) 
(b)(3)-P:1::.86-36 
(b)(3)-50 USC '3024(i) 


* (U/FOWO) Enterprise data header (EDH) is a smail set of metadata tags applied to a piece of 
ission data_so that it can be identified, protected, tracked, and handled throughout its life cycle. 

ste ane t (UFOO Systems scheduled to be decommissioned. 
(b)(3)-P.L. 86-36 * (U/FEHE) DTOI, date and time of intercept. 


(b)(1) —ReHeHN- 
(b)(3)-P.L. 86-36 


(U/#O86) Table 38 summarizes the retention provisions of the FAA §702 targeting 
and minimization procedures and the controls NSA implemented to maintain 
compliance. 
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(U) Table 38. Retention Provisions and Controls 


(U) Telephony communications and Internet 
communications acquired by or with the 


assistance of the FBI from Internet Service 
Providers may not be retained longer than five 
years from the expiration date of the certification 
authorizing the collection unless NSA determines 
that each communication meets the retention 
standards in these procedures. 


(U) Internet transactions acquired through NSA‘s 
upstream collection may not be retained longer 
than two years from the expiration date of the 
certification authorizing the collection, unless 
NSA determines that each communication meets 
the retention standards in these procedures. 
[Additional requirement regarding MCTs are 
addressed in the Purge section .] 


(U) Internet transactions that are identified and 
segregated pursuant to the procedures for MCTs 
will be retained in an access-controlled 
repository. 

(U) Any information contained in a segregated 
Internet transaction may not be moved or copied 
from the segregated repository or otherwise used 
for foreign intelligence purposes unless it has 
been determined that the transaction does not 
contain any discrete communication as to which 
the sender and all intended recipients are 
reasonably believed to be located in the United 
States. 


{U) Any Internet transactions acquired through 
NSA's upstream collection techniques prior to 
34 October 2011 will be destroyed upon 
recognition. 


(U) Oversight 


{U) System certification, required of ail 

FAA §702 systems, includes retention 
standards consistent with minimization 
procedures. 

(U) Data tags are now associated with most 
collection before itis made available to data 
stores accessible to analysts. Data tags support 
identification of records for age-off. 

(UFOS 
software tool to search for data beyond.the™ 
required age-off procedure. A similar tooi is 
being developed for| F 


(U//FSġ®) NSA has implemented a 
segregation process and sequestered MCT 
data is maintained in a collection store where it 
is not available for analytic use. None of the 
data subject to sequestration has been 
transferred to repositories accessible to 
analysts. 

(U/FEH@) NSA has deleted all identified 
upstream Internet collection acquired before 
November 2011. If additional data is identified 
that was subject to this purge requirement, NSA 
deletes it upon recognition. 

{U) These controls are documented in the 
Collection section. 


(UFOS) 


(U) Provisions of FAA §702 certifications— internal and external oversight 
(U//FOUO) The FAA §702 targeting and minimization procedures provide that NSA 


will conduct the following oversight: 


+ (U) Implement a compliance program with ongoing oversight of its exercise 
of FAA §702 authority, including the associated targeting and minimization 


procedures 


e (U) Develop and deliver training regarding procedures to ensure that 
intelligence personnel responsible for approving targeting of persons under 
these procedures, as well as analysts with access to the acquired foreign 
intelligence information, understand their responsibilitics and the procedures 


that apply to this acquisition 
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e (U) Establish processes for ensuring that raw traffic is labeled and stored only 
in authorized repositories and is accessible only to those who have had the 
proper training 


« (U/AFOUC) Conduct ongoing oversight activities and make necessary reports 
to the NSA OIG and OGC, including reports of non-compliance 


e (U) Ensure that corrective actions are taken to address identified deficiencies 


e (U) Conduct periodic spot checks of targeting decisions and intelligence 
disseminations to ensure compliance with established procedures and conduct 
periodic checks of queries in data repositories 


° -<SHNFY Report incidents of non-compliance with the targeting and 
minimization procedures within five business days of discovery to the DoJ 
NSD and ODNI’s oversight team.” 


(U) DoJ NSD and ODNI oversight requirements include: 


e (U) Oversee NSA’s exercise of the FAA §702 authority, including bi-monthly 
reviews to evaluate the implementation of the procedures 


e (U) Oversee NSA’s activities with respect to use of USP identifiers to query 
communications collected under FAA §702. 


(U) NSA oversight 


(U/FE8O) NSA operates a comprehensive oversight framework to maintain 
compliance with the FAA §702 targeting and minimization procedures. The NSA 
organizations that perform oversight are described below. 


(U//FEUO) FAA §702 Authority Lead is responsible for the implementation and 
operation of the FAA §702 authority for NSA. The FAA §702 Authority Lead serves 
on NSA’s corporate Authorities Integration Group and works with other NSA 
mission Authority Leads and corporate, legal, policy, compliance, and technology 
personnel to coordinate implementation of NSA mission authorities. The FAA §702 
Authority Lead addresses the tactical and strategic elements of the program; interacts 
regularly with NSA’s OGC, ODOC, TD, LAO, and SID; routinely interacts with DoJ 
NSD, ODNI, FBI, and CIA; provides direction regarding daily operational and 
technical questions; and coordinates input to reports to Congress and the FISA Court. 


(U/FOBC) Authorities Integration Group (AIG) is administratively assigned to 
ODOC and reports to the NSA Deputy Director. The AIG works directly with SID 
and Information Assurance Directorate authority leads, including the FAA §702 
Authority Lead, and holds weekly meetings with the authority leads and corporate 
process leads (e.g., TD, ODOC, OGC) to bring legal, policy, compliance, technology, 
and mission areas together to provide recommendations on the implementation of the 


°” (U) ODNI’s oversight team is comprised of ODNI’s Office of General Counsel, ODNI’s Civil Liberties and 
Privacy Office, and ODNI’s Office of the Deputy Director of National Intelligence for Intelligence 
Integration /Mission Integration Division. 
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authorities. The AIG focuses on the activities of each authority, internal and 
external, to ensure that they are coordinated and integrated across NSA. The AIG 
acts as a “forcing function” within NSA, facilitating discussion among the 
Directorates to promote better understanding of how decisions affect the various 
authorities. The AIG updates the NSA Deputy Director quarterly on each authority. 


(UFFORO} Office of the Director of Compliance (ODOC) is responsible for 
developing and directing the execution of compliance strategies and activities focused 
on protecting USP privacy during the conduct of authorized NSA missions. ODOC 
has the authority to develop, implement, and monitor a Comprehensive Mission 
Compliance Program for the Agency, which addresses: (1) integration of compliance 
strategies and activities across NSA mission, technology, and policy organizations; 
(2) a training and education program for compliance; and (3) maintenance of and 
reporting on the status of mission compliance. The CMCP’s focus is on mission 
compliance, particularly in Signals Intelligence and Information Assurance 
operations, including the technology base on which they function. The key objective 
of the CMCP is to provide reasonable assurance that the legal authorities and policies 
affecting USP privacy are reliably and verifiably followed by NSA. The CMCP 
includes activities and funding to support compliance with FAA §702, such as 
compliance target validation and query tools. 


(U//FEHO) ODOC’s monitoring activities provide continuous assessment to 
determine whether internal controls are operating as intended. Its assessments help 
management evaluate the effectiveness of the compliance program and its 
components. For example, ODOC reviews compliance activities associated with 
queries in NSA repositories, including those related to FAA §702: 


* (U/FeEBO) ODOC anaes HP 86-36 
forwarded to the query audit database that could indicate a problem in 


communicating with the repositories queried, 


« (U/AFOB86) It verifies that all queries requiring post-query review are 
assigned to reviewers, 


¢ (U/AF6UO) It monitors the number of queries selected for review and the 
timeliness of review, and 


e (U//FOEVO) It tracks the super audits performed by SV (see the Oversight 
section). 


(U/AFEGO} In addition, ODOC performs Compliance Vulnerability Discovery 
(CVD) reviews that focus on high-risk areas within the CMCP to discover 
compliance weaknesses. In 2013, ODOC completed two CVDs focused on mission 
compliance with SIGINT authorities. Table 39 summarizes these CVDs. 
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(U) Table 39. Compliance Vuinerability Discovery Reviews 


(Ueber 


05/03/13 FISA/ Multiple Reviewed implementation of controls to 
FAA §702 | Communications segregate unauthorized daia from NSA’s FAA 
Transactions §702 Upstream Multiple Communications 
Transactions 


07/17/13 All Data Taggin Reviewed data from NSA systems for proper 
i Rl tagging to support designation of these systems 


(b)(3)-P.L. 86-36 


(UFOS ODOC has also implemented processes to ensure that NSA 
representations to external overscers are accurate and NSA personnel have a 
consistent understanding of program activities. VoA and verification of 
implementation reviews are performed on written NSA representations that describe 
the Agency’s acquisition, processing, retention, analysis, and dissemination and form 
the basis for legal opinions, FISC Orders, and Executive Branch decisions. In 2013, 
ODOC conducted VoAs with FAA §702 stakeholders for the affidavits and targeting 
and minimization procedures supporting renewals of FAA §702 certifications. One 
verification of implementation was conducted in June 2013 with NSA external 
partners (DoJ NSD and ODNI) on procedures for implementing the FAA §702 
targeting procedures. 


(U/FO66) SV implements the SIGINT compliance program across NSA. SV 
establishes SIGINT compliance standards and provides guidance across the global 
SIGINT enterprise, manages incidents of non-compliance, monitors compliance in 
high risk areas, resolves problems, and verifies compliance through audits and by 
managing the SIGINT Intelligence Oversight Officer program. SV manages 
resources to ensure that NSA corporate systems and capabilities align with CMCP 
solutions. 


EREE FOSA FHSS To maintain NSA’s compliance with the FAA §702 


targeting and minimization procedures, SV: 


Re P (U/HFEGO) Adjudicates TRs for selectors nominated by the CIA and FBI, 
(b)(3)-50 USC 3024(i) ““Coutilizing the same process used for NSA TRs 


ot EPSHSHEN) Revidws} askin 


requests for completeness. 


- -SHREE-FO-USA-EVES Performs post-tasiiig analysis for FAA = 


selectors suspected of being accessed within the United States| 
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e (U/#OEHO) Investigates all incidents of non-compliance with FAA §702 
targeting and minimization procedures, coordinating with TV when a potential 
incident involves a system. SV works with the mission team to document 
FAA $702 incidents, promptly reports them to OGC, OIG, and ODOC, and 
maintains a permanent record 


e (UFOS Works with mission personne! and OGC to process destruction 
waivers as needed 


e (U/FOEBO) Conducts super audits of queries of raw SIGINT databases that 
provide records of queries to the corporate logging and auditing system to 
analyze the quality of query reviews by auditors 


¢ (U/FEO) Completes Purge Verification Activities quarterly fol Phe. 86-36 
and certain other stores that hold FAA §702 data to assess NSA’s 
effectiveness in purging non-compliant SIGINT 


°. (U/FOROY Oversees use of MCTs as a source for reporting and verifies 
completion of required documentation °° 


e (U/AFOUO?F Serves as the FAA §702 tasking liaison for the NSA enterprise, 
IC customers (FBI and CIA), and overseers from DoJ NSD and ODNI 


° pes Provides documentation for review by DoJ NSD and ODNI. SV 


„aeee TEV EWS for each selector tasked and reviews records of 
(b)(3)-P.L. 86-36 information shared with NSA SIGINT partners for compliance with 
dissemination requirements. Records of database queries using USP query 
terms and records of USP reporting are also provided to overseers. SV 
coordinates responses by NSA organizations to questions from DoJ NSD and 
ODNI during their review of information SV made available. 


+ (U/#OUO) Pre-approves USP content queries in conjunction with OGC 


* (U/BOO) Participates in the verification of accuracy process for renewals of 
certifications and targeting and minimization procedures 


°- (U/B Partners with the Associate Directorate for Education and 
Training to develop and implement oversight and compliance training for the 
SIGINT workforce. SV co-develops and reviews all updates of the FAA §702 
course. 


(U/#O86) SID Analysis and Production, Mission and Compliance Office This 
office supports all areas of NSA’s SIGINT operations by overseeing: 


OLASHATEY Three types of MCTs are made available to analysts. Two types of transactions made available to 
analysts after the MCT sequestration process are those that contain only discrete communications (no MCTs) and 
those where the active user of the selector is a targeted individual. SV performs oversight of the third type, where 
the active user of the selector is a non-targeted individual outside the U.S. (an example of “abouts” collection). SV 
examines these MCTs for compliance with NSA reporting guidance (ISS-185-11), which states that analysts are 
“only authorized to use those discrete portions of MCTs containing the targeted selector.” 
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e (U/FOYO) FAA §702 adjudication and training (interfacing with analysts 
on how to use the authority, approving new adjudicators who meet training 
and mission requirements, and reviewing adjudicated TRs for compliance) 


° 4SANFy Dual-route adjudication (approving provision of the results of 
targeting to the CIA or FBI for selectors already on NSA collection) 


° “(SF REE-FO-USA- EYES, FISA and production metrics (providing 


feedback to management on use of the authority and analyst/adjudicator 
performance) 


© SH REL-FO-SA-FYEY> The application of the authority (e.g., 


dated „instructions. .for.maintaining..compliance-whe: 
(b)(1) were not operating, targeting and adjudication checklists, and general 
(b)(3)-P.L. 86-36 guidance on the analytic use of the authority). 


(U/FOUC) TD Office of Compliance (TV) is responsible for identifying, assessing, 
tracking, and mitigating compliance risks, including USP privacy concerns, in NSA 
mission systems across the extended enterprise, including systems that hold FAA 
§702 data. TV manages the system compliance certification process, continuous 
compliance monitoring, and technical compliance incident reporting and also trains 
technical personnel. TV performs VoAs for areas assigned to it in NSA 
representations. 


eee ursa | TV began certifying FISA systems, including the FAA §702 
(b)(3)-P.L. 3636 systems, to ensure compliance with the law and policies protecting USP privacy (see 
the Repositories section). 
(U) The Office of the General Counsel provides legal advice to NSA and is the 
liaison to DoJ NSD for NSA’s FAA §702 program. One of its main oversight 
responsibilities includes independently assessing potential incidents of non- 
compliance. 


(U) OGC receives reports of potential incidents of non-compliance from SV. OGC 
compiles FAA §702 incidents daily, provides them to DoJ NSD and ODNI, and 
makes an initial determination whether incidents represent non-compliance with the 
FAA §702 certifications and targeting and minimization procedures. OGC notifies 
DoJ NSD and the ODNI’s oversight team of potential incidents of non- compliance 
with the targeting procedures within five business days of discovery, as FAA §702 
targeting procedures require. OGC reviews all proposed disseminations of 
information constituting USP attorney-client privileged communications before 
dissemination, as NSA’s FAA §702 minimization procedures require. For all 
violations of NSA’s FAA §702 targeting and minimization procedures, OGC 
coordinates input from NSA organizations and edits the content for factual and legal 
accuracy. DoJ NSD prepares Rule 13 notices, in coordination with ODNI. 
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(U) OGC performs additional oversight responsibilities including: 


(by meee 
(b)(3)-P:E.-86-36 - 
(b)(3)-50 USC: 3024(i). 


(U//FOGO) Reviews requests to perform content queries using USP selection 
terms. Only OGC approved selection terms can be used to perform content 
queries of USP information. 


tasking requests for completeness. 


(UF OUO Participates in the VoA process. 


(U#FOUS) Reviews and makes updates to the FAA §702 course, as 
necessary. 


(U) Office of the Inspector General (OIG) conducts audits, special studies, 
inspections, investigations, and other reviews of the programs and operations of NSA 
and its affiliates. OIG oversight includes: 


(U) Performing audits and special studies of the FAA §702 program 


(U) Receiving notification of incident reports for all NSA authorities, 
including FAA §702, saved in the Agency’s corporate incident reporting 
database 


(UFFEYO) Reviewing Congressional notifications and notices filed with the 
FISC of incidents of non-compliance with FAA §702 targeting and 
minimization procedures 


(U) Preparing Intelligence Oversight Quarterly Reports, in coordination with 
the DIRNSA and OGC, that summarize compliance incidents for all 
authorities occurring during quarterly review periods and forwarding the 
reports to the President’s Intelligence Oversight Board through the 
ATSD(IO) ”” 


(U) Performing intelligence oversight reviews during OIG inspections of joint 
and field sites 


(U) Maintaining the OIG Hotline, responding to complaints, including 
allegations of SIGINT misuse by NSA affiliates operating under DIRNSA’s 
authority 


(U) Reporting immediately to the ATSD(IO) a development or circumstance 
involving an intelligence activity or intelligence personnel that could impugn 
the reputation or integrity of the IC or otherwise call into question the 
propriety of an intelligence activity. 


*7 (U#POUQ) In 2014, the ATSD(O) was changed to the Office of the Senior DoD Intelligence Oversight Official. 


—TOP SECRETS AOEORA 
132 


DOCID: 4273474 
—-FOP-SECRET/STINOFORN 
ST-14-0002 
(UFOS) The OIG reviews management controls, maintains awareness of 
compliance incidents, and stays informed of changes affecting NSA authorities, 
including FAA §702. OIG reviews of the FAA §702 program allow it to 
independently assess compliance with minimization procedures. Since the Agency 
obtained FAA §702 authority in January 2008, the OIG has completed annual reviews 
of reports containing references to USP identities and targets later determined to be in 
the United States, as the statute requires. The OIG has also completed two special 
studies of the program (Table 40). 


(U) Table 40. OIG Reviews of the FAA §702 program 


FO manage! 
om | Sas Over FAA g702 “ST. -11-0009} | maintaining compliance with targeting and 


minimization procedures. 


10/29/13 | 4SN 


Mpa agaa “er 
(U) External oversight (b)(3)-50 USC 3024(i) 
(U/FO8Q) DoJ NSD and ODNI closely coordinate to perform oversight to ensure 
that NSA’s FAA §702 program is compliant with the statute and FISC rulings. DoJ 
NSD is the primary liaison between NSA and the FISC for all matters pertaining to 
the FAA §702 program. DoJ NSD and ODNI oversight includes: 


¢ (U/AF686) Reviewing and approving annual certification renewals and 
updates of the associated targeting and minimization procedures and filing 
them for FISC approval 


+ (U) Providing guidance to the NSA OGC on legal opinions relating to the 
interpretation, scope, and implementation of the FAA §702 authority 


+ (U//FOEUO) Reviewing briefings on NSA proposals to substantia lly modify 
systems or processes supporting FAA §702. This allows NSD to determine 
that the modifications are lawful and that the Attorney General (AG) and the 
FISC are aware of the scope and nature of the changes 


« (U) Evaluating and investigating potential incidents of non-compliance with 
the statute or procedures and reporting any matter determined to be a 
compliance incident to the FISC 


« (U) Reviewing NSA briefings and training transcripts to ensure that they 
accurately describe the requirements of the FAA §702 Orders 


+ SNF) Performing bi-monthly reviews of NSA authorities under thf | 
FAA §702 certifications. The reviews include NSA’s targeting decisions, 
(b)(1) 


(b)(3)-P.L. 86-36 
FOP SEECRETHSHNOFORN— (b)(3)-50 USC 3024(i) 
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including source documentation supporting these determinations, to assess 
compliance with NSA targeting procedures and AG Acquisition Guidelines. 
The reviews also examine database queries using USP query terms and 
disseminations of serialized reporting and EMT. 


e (U) Preparing the periodic reports the statute requires: 


1. ~—SHNE} DoJ submits the Semiannual Reports of the AG Concerning 
Acquisitions under Section 702 of the FISA to Congress and the FISC. 
Pursuant to FISA §707, the AG reports on the_acquisition of foreign 

_.intelligence.information..conducted-under-the} FAA §702 
certifications by NSA and FBI. While the CIA does not acquire the 
information, it may receive unminimized data that NSA and FBI acquired. 
The AG’s semiannual reports focus on analysis of incidents of non- 
compliance with targeting and minimization procedures by NSA and FBI 
and incidents of non-compliance with minimization procedures by CIA. 


2. SN Jointly, the AG and the DNI submit the Semiannual Assessments 
of Compliance with Procedures and Guidelines Issued Pursuant to Section 
702 of the FISA to Cotigress and the FISC. These reports summarize the 
oversight performed on implementation of the FAA §702 authority, trends 
in targeting and minimization (e.g.; changes in the number of selectors 


under collection and statistics on use of the ertifications), and 
compliance incidents with the FAA §702 authority for NSA, FBI, and the 
CIA. 


e (U) ODNI hosts bi-monthly interagency meetings and a weekly phone call to 
discuss FAA §702 implementation and compliance matters. 


SNF The FISC reviews and, when satisfied that the legal requirements have been 
met, approves all renewals of certifications and targeting and minimization 
procedures for the FAA §702 authority that have been authorized by the AG and 
DNI.”* In addition, the FISC reviews representations NSA made regarding the 
operation of the program and Rule 13 notices of incidents of non-compliance filed by 
DoJ NSD on behalf of NSA. If the Court finds that incidents of non-compliance 
result from processes inconsistent with the targeting and minimization procedures 
(e.g., incomplete application ofthe [___ identification), NSA will be 
required to.change“its internal systems or procedures and report to the Court on the 

“progress made to achieve compliance. The Court may also determine that additional 
measures or changes are required to the targeting and minimization procedures (e.g., 
sequestration of MCTs), ifit deems that NSA processes do not adequately protect 
USPs. 


°8 (U/FOOS The AG and DNI authorize the collection of data pursuant to FAA §702 using targeting and 
minimization procedures adopted by the AG (in consultation with the DNI). The FISC must approve the 
certifications and associated procedures that the AG and DNI have authorized. 
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(UAFOUCO) Table 41 summarizes the oversight provisions of the FAA §702 targeting 
and minimization procedures and the controls NSA implemented to maintain 
compliance. 


(U) Table 41. Oversight Provisions and Controls 


{UFOt} NSA operates a comprehensive 
oversight framework to maintain compliance 
with the FAA §702 targeting and minimization 
procedures. This compliance framework is 
collectively managed by the NSA organizations 
described above. 


(U/FOH) SV partners with the Associate 
Directorate for Education and Training to 
develop and implement oversight and 
compliance training for the SIGINT workforce. 
SV co-developed and reviewed all updates of 
the FAA §702 course. OGC also reviews and 
updates the FAA §702 course. 


(U) NSA will implement a compliance program, 
and will conduct ongoing oversight, with respect 
to its exercise of the authority under FAA §702, 
including the associated targeting and 

minimization procedures. 


(U) NSA will develop and deliver training 
regarding the applicable procedures to ensure 

intelligence personnel responsible for approving 
the targeting of persons under these procedures, 
as well as analysts with access to the acquired 

foreign intelligence information, understand their 
responsibilities and the procedures that apply to 
this acquisition. 


(U) NSA will establish processes for ensuring that 
raw traffic is labeled and stored only in authorized 
repositories and is accessible only to those who 

have had the proper training. 


(U/FOHO} TV certifies FISA systems 
periodically, including the FAA §702 systems, to 
ensure that they comply with law and policy 
protecting USP privacy. TV’s certification 
process evaluates system controls for 
maintaining compliance in a number of areas, 
including data tagging and data access. 


(U/FOH6} SV and TV investigate incidents of 
non-compliance with FAA §702 targeting and 
minimization procedures. SV works with 
mission teams to document FAA §702 
incidents. SV promptly reports potential 
incidents to OGC and ODOC and maintains a 
permanent record. When a potential incident 
involves a system, TV manages the incident 
investigation. 

(U#FOLO) The OIG receives notification of 
incident reports for all NSA authorities, including 
FAA §702. The OIG also receives 
Congressional notifications and notices filed 
with the FISC of incidents of non-compliance 
with the FAA §702 targeting and minimization 
procedures. 

(U/FES) OGC receives notifications of 
potential incidents of non-compliance for all 
NSA authorities. OGC compiles FAA §702 
incidents daily (which it provides to DoJ NSD 
and ODNI), and assesses whether incidents 
represent possible non-compliance with the 
FAA §702 certifications and associated 
targeting and minimization procedures. 


(U) NSA will conduct ongoing oversight activities 
and make any necessary reports, including those 
relating to incidents of non-compliance, to the 

NSA OIG and OGC, in accordance with the NSA 
charter. 
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(U/POCS) SV and TV investigate all incidents 
of non-compliance with FAA §702 targeting and 
minimization procedures and monitor corrective 
actions. 

{U) OIG performs audits and special studies of 
the FAA §702 program; tracks 
recommendations until completion. 


(U/F6H8) SV performs oversight of targeting 
decisions, queries, and dissemination and 
provides documentation for review by DoJ NSD 
and ODNI to support their oversight of NSA’s 
implementation of FAA §702. SV also conducts 
super audits of queries of raw SIGINT 
databases. 

(U) OGC reviews all proposed disseminations of 
information constituting USP attorney-client 
privileged communications before 
dissemination. 


(LAPOS) OGC notifies external overseers of 
incidents of possible non-compliance with the 
targeting procedures within five business days 
of discovery. OGC coordinates input by NSA 
organizations for Rule 13 notices prepared by 
DoJ NSD, in coordination with ODNI, for all 
violations of the FAA §702 targeting and 
minimization procedures. 


(U) NSA will ensure that necessary corrective 
actions are taken to address any identified 
deficiencies. 


(U) NSA will conduct periodic spot checks of 
targeting decisions and intelligence 
disseminations to ensure compliance with 
established procedures, and conduct periodic 
spot checks of queries in data repositories. 


(U/AFGHS) NSA will report incidents of non- 
compliance with the targeting and minimization 
procedures within five business days of discovery 
to the DoJ NSD and ODNI OGC, and ODNI 
CLPO. 


(U/AF6+67 DoJ NSD and ODNI will oversee NA DoJ NSD and ODNI perform bi-monthly 
NSA’s exercise of the FAA §702 authority, which | reviews of NSA authorities under the 
will include bi-monthly reviews to evaluate the FAA §702 certifications. DoJ NSD and ODNI 
implementation of the procedures. review NSA’s targeting decisions, including the 
source documentation supporting these 
determinations, to assess compliance with NSA 
(U/AP@6) DoJ NSD and ODNI will oversee targeting procedures and Attorney General's 
NSA's activities with respect to use of USP (AG) Acquisition Guidelines. NSD and ODNI 
identifiers to query communications collected also review queries, and disseminations of 
under FAA §702. serialized reporting and EMT.’ 
(b)(1) 
i F b)(3)-P.L. 86-36 
(U) FAA §702 Incidents of Non-Compliance ERENS Aii 


(U/FOBS) FISC Rules of Procedure require NSA to report to the FISC “corrections 
of material facts” and “disclosures of non-compliance” with FAA §702. In addition, 
NSA determines whether Congressional notifications are required. 


(U) FISC Rules of Procedure 


(U//FEBO) The FISC Rules of Procedure govern all FISC proceedings. Rule 13, 
Correction of Misstatement or Omission; Disclosure of Non-compliance, is the 
procedure NSA follows when notifying the Court, through DoJ NSD, of incidents of 
non-compliance with FAA §702. 


(U) Rule 13(a) Correction of Material Facts Ifthe government discovers that a 
submission to the Court contained a misstatement or omission of material fact, the 
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government must immediately, in writing, inform the Judge to whom the 
submission was made of: 


(1) (U) the misstatement or omission; 
(2) (U) necessary corrections; 
(3) (U) the facts and circumstances relevant to the misstatement or omission; 


(4) (U) modifications the government has made or proposes to make in how it will 
implement any authority or approval granted by the Court; and 


(5) (U) how the government proposes to dispose of or treat information obtained 
as aresult of the misstatement or omission. 


(U) Rule 13(b) Disclosure of Non-compliance Ifthe government discovers that 
an authority or approval granted by the Court has been implemented in a manner 
that did not comply with the Court’s authorization or approval or with applicable 
law, the government must immediately, in writing, inform the Judge to whom the 
submission was made of: 


(1) (U) the non-compliance; 
(2) (U) the facts and circumstances relevant to the non-compliance; 


(3) (U) modifications the government has made or proposes to make in how it will 
implement any authority or approval granted by the Court; and 


(4) (U) how the government proposes to dispose of or treat information obtained 
as a result of the non-compliance. 


(U) Identifying and Reporting Incidents of Non-compliance 


(U) Identifying incidents of non-compliance 


(U/2OE) All potential incidents of non-compliance with FAA §702 certifications 
and targeting and minimization procedures are reported to SV or TV upon discovery 
by analysts and others operating under the authority, as documented in the FAA $702 
Program Control Framework section - Incident Recognition and Reporting. Training 
provides a heightened sense of awareness for personnel to identify potential 
violations. Incidents may also be discovered through oversight mechanisms 
addressed in the FAA $702 Program Control Framework section Post-Targeting and 
Oversight. Monitoring and oversight include manual and technical controls to detect 
abnormalities. 


(U/APOUO) After review of the incident, SV or TV forwards documentation to OGC. 
If OGC believes a violation of the targeting and minimization procedures has or may 
have occurred, even if all the facts have not been gathered, preliminary notification is 
sent to DoJ NSD. OGC notifies DIRNSA of instances of non-compliance, as 
appropriate. Upon receiving initial notification from OGC, DoJ NSD drafts, in 
conjunction with ODNI, a notification to the Court, should one be required under the 
FISC Rules of Procedure. 
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(U/F@HO) Once the facts have been gathered and OGC has made an initial 
determination that a non-compliant FAA §702 event has occurred, OGC finalizes a 
notification of non-compliance and forwards it to DoJ NSD and ODNI, which make 
the final determination as to whether there has been an incident of non-compliance 
that must be reported to the FISC. If DoJ NSD and ODNI determine that an incident 
of non-compliance has occurred, DoJ drafts a notification, which is coordinated with 
the IC elements involved, finalizes it, and files the notice with the Court. 


(U//FE8S6y DoJ NSD often follows up on preliminary notifications with one or more 
additional notifications. In some cases, the preliminary notification of an incident 
serves as the final notice of that incident. ° 


(U/FO8O)-In 2013;[__ incidents of non-compliance (13(b)s) were filed with the 
FISC for matters identified in that calendar year. None of these incidents involved 
inaccurate information in previously filed declarations to the Court, requiring that a 
Rule 13(a) notice of correction of material fact be filed. 


(U) Congressional notifications 


(U/FOEGO) DIRNSA, as head of an IC element, has a statutory obligation to keep the 
Senate Select Committee on Intelligence and the House Permanent Select Committee 
on Intelligence fully and currently informed of all significant intelligence activities. °° 
NSA resolves doubts about notification in favor of notification. In addition to 
notifying Congress and the Director of National Intelligence, DIRNSA must notify 
the USD(I) and other USD(I) staff, as directed by USD(I) guidance. For all 

FAA §702 incidents of non-compliance reported to Congressional intelligence 
committees, NSA also provides discretionary notifications to the Senate and House 
Committees on the Judiciary. 


(U//FE08) NSA’s LAO manages NSA’s liaison with the Congress, and with the 
DNI, DoD, the IC, and other U.S. government departments and agencies regarding 
matters of concern to Congress. LAO is NSA’s focal point for Congressional 
inquiries, correspondence, questions for the record, and RFIs directed to NSA. 


(UFOS) NSA/CSS Policy 1-33 provides guidelines for identifying matters that 
OGC and LAO must consider reporting to the Congressional intelligence committees 
under 50 U.S.C. §§3091 and 3092. The guidelines do not constitute a comprehensive 
list of what must be reported. Compliance incidents are assessed under a general 
guideline to consider reporting matters that the intelligence committees have 


°° (U/POUO DoJ NSD files the “Quarterly Report to the Foreign Intelligence Surveillance Court Concerning 
Compliance Matters Under Section 702 of the Foreign Intelligence Surveillance Act” which includes incidents DoJ 
NSD and ODNI determined to be violations of the targeting and minimization procedures (13(b)s) as well as all 
other incidents determined not to meet the reporting requirements of 13(b). This quarterly report to the FISC also 
provides supplemental information on previously reported compliance incidents. 
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(U) 50 U.S.C. §3091, as implemented by Intelligence Community Directive 112, Congressional Notification, 


16 November 2011, requires the head ofeach element ofthe IC to inform Congress on significant intelligence 


activities. 


—FOP-SECREFASHNOFORE 
138 


DOCID: 4273474 


-FOP-SEECRETISHINGFORI- 
ST-14-0002 


expressed a continuing interest in or which otherwise qualify as significant 
intelligence activities or failures. 


(U//F686) NSA works to keep Congressional intelligence committees fully and 
currently informed about the Agency’s activities over and above what is strictly 
required to be reported under the guidelines outlined in NSA/CSS Policy 1-33. Ata 
minimum, however, NSA must keep the Congressional intelligence committces 
timely informed of all major intelligence policies and activities and provide the 
information those Committees request. 


(UFOS) Determining whether Congressional notification should be provided is a 
judgment based on the facts and circumstances and on the nature and extent of 
previous notifications to Congress on the same matter. Not every intelligence activity 
warrants Congressional notification. NSA’s analysis of the FAA §702 incidents of 
non-compliance filed during 2013 resulted in two incidents reported in Congressional 
notifications; one related to a 2013 incident, and the other to an incident first reported 
in 2012. 


“CFSHSHANF) Congressional Notifications |] reported a retention 


and dissemination compliance incident involving an NSA corporate database 


AFSASHANE} Congressional Notification, roviđed. resolution ofa 
£ p 


. matter first reported to the Congressional intelligence committees oñ 


This update reported on the actions taken to resolve the 
matier, including correction ofthe affected system component, purge of affected 
transactions, verification that no disseminated reports had been based upon 
overcollected data, and implementatio n of a post-acquisition review of this type of 
data to identify future overcollection. 
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(U) Incidents of Non-compliance in 2013 {b)(3)-P.L. 86-36 


(U/AFOBO} In 2013, DoJ reported to the Court[ incidents of non-compliance with 
FAA §702. The incidents and rates of occurrence are in Table 42. 


(U/FOUO) Table 42. FAA §702 Incidents of Non-Compliance 
Reported in 2013 


Non-compliance with Documentation 
Requirement 


* (U) Tasking errors—foreignness support was insufficient to support tasking (e.g., foreignness was 
not reestablished following travel to the United States, foreign intelligence purpose explanation was 
insufficient, or a typographical error was made). 


t (U) Detasking error examples include: (1) delayed detasking which occurs when NSA has a foreign 
intelligence target, reasonably believed to be outside the United States at the time of tasking, and 
later learns that the target plans to travel to the United States, but does not detask the target’s 
selectors before the target arrives in the United States; and (2) incomplete detasking of all tasked 
selectors when it is determined the target is no longer eligible for tasking. 

t (U) Notification—NSA’s targeting procedures require certain incidents be reported to NSD and 
ODNI within five business days, even if these incidents do not involve non-compliance with the 
targeting procedures. Specifically, NSA is required to terminate acquisition and notify NSD and 
ODNI if “NSA concludes that a person is reasonably believed to be located outside the United States 
and after targeting this person learns that the person is inside the United States, or if NSA concludes 


that a person who at the time of targeting was believed to be anon-United States person was in fact 
a United States person.” 


$ (U#FOHE5 Documentation Errors—The targeting procedures require that NSA provide a citation to 
the source of information upon which the determination of the target’s foreignness was made. These 
errors, in which the citations were not considered adequate to support the foreignness of the user of 
the selector tasked, were identified through DoJ and ODNI review of NSA tasking. 

1 (U) Minimization errors may include errors in querying, reporting, and retention. 


** (U) The “other” incident type often pertains to instances in which systems that support compliance 
are not operating. as intended. 


SHS 


(U/FOCO) Examples of incidents, including actions NSA took to mitigate 
recurrence, follow. This information is taken from the 13(b) notices DoJ NSD filed 
with the FISC. 


(U/FEU6} Example 1: Incident as a result of delayed detasking 


Noti f Compliance Incident Regarding Section 702-Tasked 


= ai SA reported to the National Security Division (NSD) and 
_ the-Office of the Director of National Intelligence (ODNI) a delay in the detasking of 
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(BPE ESSN eaaa NSA determined that the 
(b)(3)-F P. L- 86- 36 lanacied user-of [one of the selectors] had traveted'to the U:S 
k dan NSA artalyst: ‘détasked-[the selector associated with the . travel]. The 
i ern 2 however, iitadvertently did not detask. the’ other selectors used by the 
ss target. NSA discovered this eof ] and “Lets the 
“s same day. The continued tasking of the [remaining selector] was not discovered until 
é ven [the selector] was immediately detasked. 


(U/FOUSG) Action taken to mitigate recurrence The target office [was] reminded of 


the need to identify and immediately detask all facilities used by a target when the target 
is found to be in the United States. 


(U/FOBO} NSA did not issue a Congressional notification about this incident. The 
incident was included in the Semiannual Report of the Attorney General Concerning 


Acquisitions under Section 702 of the Foreign Intelligence Surveillance Act, dated 
March 2014. 


(UFOO Example 2: Other incident (technical error) 


? (b)(1) 

: © (bX(3)-P.L. 86-36 
NSA alt notified thé NSD of an 
fpost-tasking checks NSA conducis.to kelp ensute that 
accounts tasked for collection pursuant.to Section 702 are not 


being used from inside the U.S. NSA provided written notice of this incident to NSD and 
the ODNI 


SHE) Preliminary 
incident regarding the 


(b)(3)-P.L:'86-36 


~S/E NSA identified the following compliance-incident is a sult ofits ongoing © 


+SARPYNSA’s post tasking __Jéhecks are intended to identify indications (hat 
users of Section 702-tasked [selectors] may beiriside the U.S | O O H 


b)(1) 
b}(3)-P.L. 86-36 


LO O o NSA identi fied. that certain Section 702 [selectors] were 
not eee sent from) ol o O O á e| thereby preventing C — _ —  ] 
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checks from being 


; jp ee NSA has teviewed| Jand confirmed that there is no 
indicating. t al any ofthe users-of the] [selectors] were 


A måde a modification to ensure 
are now sent to 


~(&} NSA, NSD, and ODNI [at the time] continue[d] to investigate this incident. The 
Department of Justice [committed] to continue to inform the Court of additional 
information regarding this incident as it became available. 


GN) Supplemental/Final As detailed in the preliminary notice..., NSA determined 
h ; 


g sent from NSA’s 


(by 
(b)(3)-P:L., 86-36 
(b)(3)-50 USC-3024(i) 


(b(t) 
(b)(3)-P.L. 86-36 


(b)(3)-P.L. 86-36 hat w 
(b)(3)-50 USC 3024(i) previously unknown indications 


NSA was in the process 
of fixing this issue at the time the 13(b) was reported to the FISC. ; nee 
105, 


NSA [at that time] continued to investigate the alert. oy 
SHY To prevent the potential for future compliance incident, NSA has corrected the error that: predate: 


166 


142 (byt) 
(b)(3)-P.L. 86-36 
(b)(3)-50 USC 3024(i) 
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p while those facilities were-tasked for Section 702 acquisition. With respect to 
the Temaining[ __]{seléctors], NSA has identified one confirmed period of toaming in 


accounts have been detasked. 


SSN Summary of action taken to mitigate recurrence With respect w$] 
[selectors] discussed above, NSA advises that the unique identifiers associated with 
communications acquired while users were or may have been in the U.S. were added to 
NSA’s Master Purge List (MPL) in discover status '°’ 


(by) 
(b)(3)-P.L. 86-36 
(b)(3}-50 USC 3024(i) 


SANE The notice also stated that DoJ would include this issue in its quarterly report to 
the Court regarding Section 702 compliance occurrences and that the report would 
confirm that NSA had added the communications to the MPL in purge state. 


(U/FOVOE) NSA did not issue a Congressional notification about this incident. The 
preliminary incident of non-compliance was included in the Semiannual Report of the 
Attorney General Concerning Acquisitions under Section 702 of the Foreign 
Intelligence Surveillance Act, dated March 2014. 


(U) NSA Use of the FAA §702 Authority 
(SNE) NSA asserts that the FAA §702 authority provides significant foreign 


~“intélligence information related to the forcign intelligence categories specified in the 
$ l cettifications.-cover| 


) 
(b)(3)-P.L. 86-36 
(b)(3)-50 USC 3024(i) 
(U) Methods Used to Assess Effectiveness 


(U/FE86) NSA maintains a variety of statistics related to the FAA §702 authority 
that show the overall contributions to NSA SIGINT reporting, how customers value 
and use reports, and the unique access to foreign intelligence information FAA §702 
provides. Data presented in this report is for calendar year 2013, unless otherwise 
noted, and statistics are limited to NSA reporting. 


(U) FAA §702 contributions to SIGINT reporting 


As Figures 9 and 10 show, information obtained 
(Bye _under FAA §702 is a key and growing source of reportable foreign intelligence to 
(b)(3)-P.L:86-36 U.S. govétiinrent-consumers, and allied foreign governments. Of the more than 
a C sanr reports issued in calendai year 2013 [_]percent were based in 
whole or in part on FAA §702 information. 


tee a C i) 


ee eee B)(3}P.L, 86-36 
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(U) Figure 9. Total SIGINT Reports Issued in CY2013 


A 
3)-P.L. 86-36 


(b 
(by 


(U) Figure 10. SIGINT Reports Based in Whole or in Part 
on FAA §702 or PAA Collection 


ijay- Tai 
(b)(3)-P.L. 86-36” 


2008 2009 2010 2011 


2012 


ESHSHREL TOUS PETS 


8 When a report is solely sourced to an authority, it indicates that a particular source 


was used by the analyst but does not mean that the collection was only available from that one source of collection. 
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During 2013, NSA disseminated an average of over 
serialized SIGINT reports a month that included information collected under the 
FAA §702 cer! tifications. "° 


ti 

(b)(3. P.L. 86:36 SHS REL-TO-USAS FEI) NSA management believes that disseminated reports 
based onr FAA: :§702-collection further the U.S. government’s understanding of high 
priority international -tcirorisin: targets, Beyond disseminated reports, collection 
obtained under FAA §702 coiitributes to 


—(ESHSHREL-FO-USA-PYEY}-On average, during 2013 NSA disseminated[ | 
SIGINT reports per month concerning international terrorism that include information 
derived from FAA §702 collection. 


(U) Figure 11. Terrorism -Specific SIGINT Reports Sourced with 
FAA §702 Information CY2013 


tby) 
(b)(3)-P-L., 86-36 


SRE Osa —hyvey 


10 (U/FOY6) The number of issued reports was obtained in November 2014 from NSA’s management information 
system for SIGINT production. The number of reports for any period is net of any reports recalled after they were 
issued, 
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On average, more than 
under FAA §702 during 2013. 


selectors were tasked for acquisition 


Ý (b)(3)-P.L. 86-36 


(U) Analyst Use of the Authority 


(SH) The FAA §702 authority is utilized broadly to ae NSA missions. “Its 
usefulness is confirmed by the above statistics, aş well as the fact that the number of 
selectors tasked to the authority has increased| 


since 2010. Similarly, the increase in the number of reports sourced by FAA §702 
communications has Gaeta te ee the same period. 
(U) FAA §702 Contributions to the Intelligence Mission 


(U) In 2013, NSA reported to the Senate Committee on the Judiciary that 
“information gathered from Section 702 of the FISA Amendments Act and Section 
215 of the Patriot Act, in complement with NSA’s other authorities, has contributed 
to the United States government’s understanding of terrorism activities and, in many 
cases, has enabled the disruption of potential terrorist events at home and abroad.” 


(U) On 21 June 2013, NSA provided to several Congressional committees testimony 
concerning 54 cases in which these programs contributed to the U.S. government’s 
understanding and, in many cases, disruption of terrorist plots in the United States 
and more than 20 countries. 


(U) The SIGINT Directorate provided to the OIG additional examples of the value of 
FAA §702 collection to NSA missions. b1) 


aaa Disruption of. plo _ targeting US. andl 


-P.L. 86-36 


ijay . 
(b)(3)-P.L. 86-36 
(b)(3)-18 USC 798 
(b)(3)-50 USC 3024(i) 


Ar 
(b)(3)-P.L. 86-36 


(b)(1) CN 
(b)(3)-P.L. 86-36 


(b)(3)-18 USC 798 
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A SHINE Section 702 


disrupted the potential attack 


` 4 ESSAN Based on Section 702 collection; 


üü 


(PMP i AFSHSHNE) Disruption of plot 


86-36 


- EHR] cn ae ney eee aR, 
tot)... 
(b)(3)-P:L, 86-36 
(b)(3)-18 USC-798 ~=- 
(b)(3)-50-USC 3024(i) 


P 
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—CESHSHTNE) NSA analyzed and disseminated) Si 
arger Intelligence Community | U U 


(bay 
(b)(3)-P.L. 86-36 
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“eerie Pe esAL pe 
b)(3)-P.L. 86-36 
SYSH REL H i. PAFTA 


(b)(1) 

(b)(3)-P.L. 86-36 
(b)(3)-18 USC 798 
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IV. (U) ABBREVIATIONS AND ORGANIZATIONS 


(U) ADET Associate Directorate for Education and Training 

(U) AIG Authorities Integration Group 

(U) h, 

(U) ATSDUO Assistant to ‘the Secretary of Defense for Intelligence Oversight 

(Uy | 

(U) ulk metadata ~. X 

(U) BR Business Records : 

(U) 

(U) CDR Call Detail Record 

(U) CIA Central Intelligence Agency 

(U) CMCP Comprehensive Mission Compliance Program 

(U) CSLI Cell site location information ` 

(U) CSP Communication Service Provider. 

(U) CT Counterterrorism 

(U) DIA Data Integrity Analyst 

(U) DIRNSA Director, NSA 

(U) DMR Dataflow Management Request 

(U) DNI Director of National Intelligence 

(U) DoD Department of Defense y 

(U) DoJ NSD Department of Justice, National Security Division * 

(U) DTM Directive Type Memorandum $ 

(U) DTOI Date and Time of Intercept 

(U) EAR Emphatic Access Restriction =- ` (bX(1) 

(U) EDH Enterprise data header “ # (b)(3)-P.L. 86-36 

(U 

(U) E.O. Executive Order 

(U) FAA FISA Amendments Act 

(U) FBI Federal Bureau of Investigation 

(U) FISA Foreign Intelligence Surveillance Act 

(U) FISC Foreign Intelligence Surveillance Court 

(U) FTP File Transfer Protocol 

(U) 

(U) 

(U) HMC Homeland Mission Coordinator 

(U) IC Intelligence Community 

(U) IMEI International Mobile Station Equipment Identity 

(U) IMSI International Mobile Subscriber Identity 

(U) IO Intelligence Oversight 

(U) LAO Legislative Affairs Office 

(U) MCT Multiple Communication Transaction 
—TOP-SECRETISTINOFORN— 
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(U) MPL Master Purge List 

(U) MRG Math Research Groy 

(U) ; 

(U) NCTC National Counterterrorism Center 

(U) NSA National Security Asoc) (Ceara Security Service 

(U) NSAW NSA Washington 

(U) NSD National Security Division 3 

(U) NSOC National Security Operations Center 

(U) ODNI Office of the Director of National Intelligence 

(U) ODOC Office of the Director of Compliance `° 

(U) OGC Office of General Counsel 

(U) OIG Office of the Inspector General 

(U) OTR Obligation to Review 

(U) PKI Public key infrastructure ` 

(U) Q Associate Directorate for Security and Counterintelligence 

(U) RAS Reasonable Articulable Suspicion 

(U) RFI Request for information 

(U Se ee - 

(U) SIS Information Sharing Services Group 

(U) S2 Analysis and Production 

(U) S21 Counterterrorism Production Center 

(U) S214 Homeland Security Analysis Center 

(U) $3 Data Acquisition a 

(U) $31324 ee ee 

(U) $354 eee 7 

(U) SCA Special compliance activity... i 

(U) SCIE Sensitive Compartmented Information Facility; 

(U) 

(U) SID Signals Intelligence Directorate 

(U) SIGINT Signals Intelligence i 

(U) 

(U) 

(U) SOO ” Senior Operations Officer 

(U) 

(U 

( j Division 

(U) SV SID Oversight and Compliance 

(U) T12 

(U) T1222 

(U) T13] 

(U) T1323 

(U) T16 

(U) TD Technology Directorate =~ 

(U) TR Targeting request f 

os [od 
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(U : 
(U) TV “TD Office of Compliance 
(U) TV4 Compliance “and-Verification 
(U) USD(D Undersecretary of Defense for Intelligence oR 
(U) USP USS. person OS da ree 
(U) USSID US. Signals Intelligence Directive ae 7 
(U) USSS USS. SIGINT System i 
T n -o eLa 
(U) VoA Verification of accuracy 
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(U) APPENDIX A: ABOUT THE §215 AND FAA §702 REVIEW 


(U) Reason for Review 


(U/ FOWO In September 2013, ten members of the Senate Committee on the 
Judiciary requested a comprehensive, independent review of the implementation of 
§215 of the USA PATRIOT Act and §702 of the Foreign Intelligence Surveillance 
Act (FISA) Amendments Act (FAA) of 2008 for calendar years 2010 through 2013. 


(U) Objectives 


(U/FOO) In January 2014, the National Security Agency/Central Security Service’s 
(NSA) Office of the Inspector General (OIG) and Committee staff agreed that the 
NSA OIG would review NSA’s implementation of both authorities for calendar year 
2013. The study has three objectives: 


(U) Objective I 
e (U) Describe how data was collected, stored, analyzed, disseminated , and 


retained under the procedures for §215 and FAA §702 authorities in 
effect in 2013 and the steps taken to protect US Person information. 


+ (U) Describe the restrictions on using the data and how the restrictions 
have been implemented, including a description of the data repositorics 
and the controls for accessing data. 


+ (U) Describe oversight and compliance activities performed by internal 
and external organizations in support of §215 Foreign Intelligence 
Surveillance Court (FISC) Orders and FAA §702 minimization 
procedures . 

(U) Objective II 
+ (U) Describe incidents of non-compliance with §215 FISC Orders and 
FAA §702 Certifications and what NSA has done to minimize recurrence. 
(U) Objective III 


e (U) Describe how analysts used the data to support their intelligence 
missions. 


(U//FOCS) The report also provides a summary ofthe changes made in the 
implementation of both authorities for calendar years 2010 through 2012 and for 
§215, alist of incidents of non-compliance for calendar years 2010 through 2012. 
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(U) Scope and Methodology 


(U/FOY Our study of NSA’s implementation of the §Section 215 and FAA §702 
authorities was based largely on program stakcholder interviews and reviews of 
policies and procedures and other program documentation. For this review, the NSA 
OIG documented the controls implemented that address the requirements of each 
authority. However, we did not verify through testing whether the controls were 
operating as described by program stakeholders. 


(U) Section 215 


(U/FORE) Our §215 review focused on the BR FISA program control framework, 
incidents of non-compliance, and NSA’s use of the authority to support its 
counterterrorism (CT) mission in 2013. To document the BR FISA control 
framework, we used BR Order 13-158, approved by the FISC on 11 October 2013 
and effective through 30 January 2014, and compared the requirements listed in that 
” Order with. the processes and controls NSA used to maintain compliance with that 

“=... Order. In addition;-we documented the changes implemented in the BR FISA 

k program following the Président’s directives i in 2014. 


(U/FOHOS. We interviewed pelsonneli in the Signals Intelligence Directorate’s (SID) 
Oversight and ‘Compliance (SV), Information Sharing Services Group (SIS), 
A C $214), D 53) 


and Counterterrorism division; the Technology Directorate’s (TD 
^ Office of Compliance (TV); 
the Office of the Director of 
Compliance (ODOC); the Authorities Integration Group (AIG); the Legislative 


Affairs Office (LAO); and the Office of General Counsel (OGC). 


(U) FAA §702 


—CPSHSHAND In addition to FAA §702 stakeholder interviews and reviews of policies 
and procedures and other program documentation, information obtained in the OIG’s 
Assessment of Management Controls Over FAA §702, revised and reissued 
29 March 2013, was also uscd asa resource. That review examined the controls that 
NSA used to maintain compliance with FAA §702 and the targeting and minimization 
procedures associated with the 2011 certifications. 


—(CPSHSHANFY Our FAA §702 review focused on the processes and controls in place in 
2013. Two primary documents filed annually with each FAA §702 certification 
comprise NSA’s procedures for complying with the FISA Amendments Act of 2008: 


* (UFO The Procedures Used by the National Security Agency for 
Targeting Non-United States Persons Reasonably Believed to be Located 
Outside the United States to Acquire Foreign Intelligence Information 
Pursuant to Section 702 of the Foreign Intelligence Surveillance Act of 1978, 
as Amended (FAA §702 Targeting Procedures), and 
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e (U/FOUSO) The Minimization Procedures Used by the National Security 
Agency in Connection with Acquisitions of Foreign Intelligence Information 
Pursuant to Section 702 of the Foreign Intelligence Surveillance Act of 1978, 
as Amended (the FAA §702 Minimization Procedures). 


(U//FOUCy For calendar year 2013, the period under review, different versions of 
these documents were in effect because of changes made with the annual certification 
renewal and special amendments. 

e (U/POUC) FAA §702 Targeting Procedures 


o (U/FOEHOS Procedures approved with the 2012 renewal of the authority, 
effective 24 September 2012 


o (U/POLQ) These procedures were not changed for the 2013 certification 
renewal and remained effective 10 September 2013 through 9 September 
2014. 


¢ (U/FEUE) FAA §702 Minimization Procedures 
o {SAN Procedures approved for the 2012 certification renewal, approved 


by the FISC 24 August 2012, were effective 24 September 2012 through 
~~ 93- September- 2013; 


fe} 


(b)(1) 
(b)(3)-P.L. 86-36 
(b)(3)-50 USC 3024(i) 


(U//FECO} We also examined implementing procedures and controls for the 
Attorney General’s targeting guidelines. 


(U/FOEC.) We interviewed personnel in SID Policy and Corporate Issues Staff 
i iti 


and Mission apabilities: fb, ODOC, the LAO, arid:OGC. 


(U) Prior Coverage ` “yay -P.L. 86-36 


(U/FOYO) Since 24 May 2006, the date the original BR Order was signed, the NSA 
OIG has completed five BR FISA program reviews. Table A-1 summarizes the 
reviews the NSA OIG has performed on the BR FISA program. 
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(U) Tabie A-1. NSA OIG Reviews of the BR FISA Program 
FHE HNE) 


Telephony BR (ST-06-0018) 


05/12/10 | NSA Controls for FISC BR Orders Reviewed querying and dissemination 
{ST-10-0004) controls; summarized pilot test results for the 
period from January through March 2010. 


ii ssessment of Management Controls Reviewed collection, processing, analysis, 
for Implementing the FISC Order: dissemination, and oversight controls. 


05/25/11 | Audit of NSA Controls to Comply with Reviewed querying and dissemination 


the FISC Order Regarding BR controls; summarized the monthly test results 
(ST-10-0004L)* for 2010. 


10/20/11 | Audit of NSA Controls to Comply with Verified age-off of BR FISA metadata in 2011 
the FISC Order Regarding BR to maintain compliance with the 60 month 
Retention (ST-11-0011) retention requirement of the BR Order. 


08/01/12 | NSA Controls to Comply with the FISC | Reviewed collection and sampling controls for 
Order Regarding BR Collection ensuring that NSA receives only the BR FISA 
(ST-12-0003) metadata authorized by the BR Order. 


* This report summarized monthly test results of the BR querying and dissemination controls during 
2010. 


ESHSHINES 


(U/FOBO) Since the Agency obtained FAA §702 authority in January 2008, the 
NSA OIG has completed annual reviews of reports containing references to USP 
identities and targets later determined to be located in the United States, as required 
by the statute. Table A-2 summarizes the two reviews the NSA OIG has completed 
of the FAA §702 program. 


(U) Table A-2. NSA OIG Reviews of the FAA §702 Program 


Controls Over FAA §702 (ST-11-0009) | maintaining compliance with the targeting and 
minimization procedures. 


3/29/13 | (U) Assessment of Management (U//FEHO) Reviewed management controls for 


b)(1) 
(b)(3)-P.L. 86-36 
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(U) APPENDIX B: BR FISA PROGRAM CHANGES 
2010-2012 


(U) 2010 


¢ = (U/FOCGYOn 25 June 2010! NSA’s RAS selection term 
management system; 


s: wrol ———————— Jre Order requirement restricting the number of 
=+ -analysts allowed to access BR metadata was lifted. 


(UWL the Order requirement for weekly reports of 


BR-related disseminations was changed to monthly . 


ETT transaction records. 


T 


À Ua S o] the Order requirement for NSA to review a sample 
‘of records obtained was changed to a review of NSA’s monitoring and assessment 
_ to-ensure that only approved metadata is being acquired. 


NSA notified the Court 


+ (U/RBHO: NSA notified the Court 


‘ (U FOYE the Court authorized NSA to implement an 
automated querying process. 


11° (USBS) NSA is no longer authorized to use the automated query process since it withdrew its request to do so 


in the renewal applications and declarations that support the BR Orders approved by the FISC (beginning with BR 
Order 14-67, dated 28 March 2014). 
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(U//FO8S) On 29 November 2012, the Order requirement to track and report the 
number of instances, since the preceding report, in which NSA has shared, in any 
form, results from queries of the BR metadata, in any form, with anyone outside 
NSA was changed to apply to only sharing of query results that contain 

USS. person information. 
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(U) APPENDIX C: BR FISA PROGRAM INCIDENTS OF 
NON-COMPLIANCE 2010 THROUGH 2012 


(U) Table C-1. BR FISA Incidents 2010 through 2012 


(b)(4) 
(b)(3)-P.L. 86-36 


* (UFS) On 1 November 2010, Rule 10(b) and 10(c) notices were replaced by Rule 13(a) and 

13(b) notices respectively. 
t (UFOS) Final Rule 10(c)noticef ———— = Se SD 1(3)-P.L. 86-36 
* (UFFEHO} Supplemental Rule 13(b) notice i al 
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(U) APPENDIX D: FAA §702 PROGRAM CHANGES 


(U) Minimization Procedures 


(yy 
(b)(3)-P.L. 86- 


(DIA 
(b)(3):P.L. 86236 


36 


(U) 2014 
° (U//FEBO) Language on upstream data added to Minimization Procedures. 
e (U/AFOEO) The retention period for Upstream Data is reduced to two years 


* (U/AFOUC) Clarified that the five-year retention period for unevaluated data 
began to run from the date of expiration of the certification under which the data 
was collected. Prior versions did not specify when the five-year period began. 


e (U/FOUG} Permitted queries using USP identifiers to identify and select 
communications. Requires pre-approval before any queries are made. 
Specifically excludes queries against upstream data. 


* (U//FOBS} Adds requirement to segregate Internet transactions that cannot be 
reasonably identified as containing single discrete communications. 


(U) 2012 


* (U/FFOLO} Limited access to metadata from Internet transactions to data acquired 
on or after October 31, 2011. 


e (U/FOUOY Adds specific requirements for DIRNSA determination that a 
domestic communication can be retained. This includes a requirement that 
DIRNSA first determine that the sender or recipient of the domestic 
communication was properly targeted under FAA §702. 


(U) 2013 


¢ (U) An amendment to the Minimization procedures was made in late 2013. A 
section was added precluding NSA from using information acquired pursuant to 
FAA §702 unless NSA determines, based on the totality of the circumstances, that 
the target is reasonably believed to be outside the United States at the time the 


(b)(3)-50 USC 3024(i) —_itiformation was acquired. 


(b1) 
(b)(3)-P.L. 86-36 
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(U) Other Changes 


(U) 2012 


© ~(PS/SHANF) Congress notified by NSA| se t—“‘“‘(‘C:;CC* 


(by(1) (b)(1) 
(b)(3)-P.L. 86-36 (b)(3)-P.L. 86-36 
(b)(3)-50 USC 3024(i) 
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